Via Traffic Sniffing
Requirements:
- Attacker must be on the same local network as the victim
- Unencrypted HTTP traffic (not HTTPS)
Practice Example:
Part 1: Simulate the attacker
- Navigate to http://xss.htb.net
- Using Web Developer Tools, note the “auth-session” cookie
- Start Wireshark:Â
sudo -E wireshark - Right-click “tun0” → “Start capture”
Part 2: Simulate the victim
- Open a New Private Window and log in to http://xss.htb.net
- Credentials: heavycat106 / rocknrol
Part 3: Obtain the victim’s cookie
- In Wireshark, filter for HTTP traffic
- Edit → Find Packet → Packet bytes → String → search “auth-session”
- Right-click packet → Copy → Value
Part 4: Hijack the victim’s session
- Replace your cookie with the stolen value (remove “auth-session=” part)
- Refresh page → you are now logged in as the victim
Via Post-Exploitation (Web Server Access)
PHP Session Storage
session.save_path in php.ini specifies storage location (default:Â/var/lib/php/sessions)- Session files follow naming convention:Â
sess_<sessionID> - Command:Â
cat /var/lib/php/sessions/sess_s6kitq8d3071rmlvbfitpim9mm
Java (Tomcat) Session Storage
- Default: active sessions stored in memory
- Optional: sessions swapped out to storage location via Store element
- Default session data file:Â
SESSIONS.ser
.NET Session Storage
- InProc mode: Application worker process (
aspnet_wp.exe) - OutProc mode: StateServer (Windows service on IIS or separate server)
- SQL Server: Database storage option
Via Database Access
show databases;
use project;
show tables;
select * from all_sessions where id=3;