Return to forum

c0r3dump · May 4, 2022 at 5:04 PM

Did anyone get foothold on machine through panel?

snailbreach · May 4, 2022 at 7:22 PM

yep then you can use the xss on graph.htb?redirect= to exfil tokens of admin through the messages panel and then exploit ffmpeg localfile read to get user ssh

F4nny · May 5, 2022 at 3:06 AM

(May 4, 2022, 07:22 PM)Internetdreams Wrote: yep then you can use the xss on graph.htb?redirect= to exfil tokens of admin through the messages panel and then exploit ffmpeg localfile read to get user ssh

Can't find the URI for messages panel. Where is it?

WorkerBee · May 5, 2022 at 5:44 AM

(May 4, 2022, 07:22 PM)Internetdreams Wrote: yep then you can use the xss on graph.htb?redirect= to exfil tokens of admin through the messages panel and then exploit ffmpeg localfile read to get user ssh

Can you please tell a few more details?

I can make the server send requests to me. When I point to graph.htb?redirect=http://myip the referer is graph.htb but how to exploit that to get the cookie/token?

skyweasel · May 6, 2022 at 3:52 AM

same here, interested to know a bit more about WHERE the XSS input can be abused? not inbox as that appears a static page, so where in messages. Did I miss an endpoint/page somewhere?

cavour12 · May 7, 2022 at 11:55 AM

Thinking at the past i was able to use the redirect with an xss with a json payload... din't find the endpoint too :(

jennifer · May 7, 2022 at 5:48 PM

(May 4, 2022, 07:22 PM)Internetdreams Wrote: yep then you can use the xss on graph.htb?redirect= to exfil tokens of admin through the messages panel and then exploit ffmpeg localfile read to get user ssh

Got the XXS vector but how to submit this reflected XSS to the admin. How you mangaed to login to the website with normal user ? Is any bruteforce required ?

pedro_navaja · May 8, 2022 at 3:58 PM

(May 3, 2022, 01:14 AM)Internetdreams Wrote:
(May 2, 2022, 06:26 PM)Exa Wrote: [quote="dude4695 hey bro i found a GRAPHQL when you can sendmessage but the detail, is that i don't know the gmails to send maybe i can send a XSS payload" pid="46719" dateline="1651471026"]
http://internal.graph.htb/

add this key and value in cookie's Local Storage

username mark

username is key and mark is value
and go to
http://internal.graph.htb/profile
you will get panel access

I tried (Cookie: username=mark) but I get redirected back to the login page.

It's localstorage not cookies
[/quote]

anyone can help me plz

Hatula · May 8, 2022 at 4:56 PM

Has anyone managed to get anything from graph.htb/?redirect ? I mean, you can't read the localStorage/cookies info of internal.graph.htb from graph.htb...

F4nny · May 9, 2022 at 8:42 AM

(May 4, 2022, 01:51 PM)Exa Wrote:
(May 3, 2022, 01:14 AM)Internetdreams Wrote:
(May 2, 2022, 06:26 PM)Exa Wrote:
(May 2, 2022, 05:57 AM)dude4695 Wrote: http://internal.graph.htb/

add this key and value in cookie's Local Storage

username mark

username is key and mark is value
and go to
http://internal.graph.htb/profile
you will get panel access

I tried (Cookie: username=mark) but I get redirected back to the login page.

It's localstorage not cookies

Thanks for the clarification. Local storage works.

But can't access to http://internal.graph.htb/inbox. We need a valid cookie.