LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Story
  • Challenge

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber 3 (2021)

[Day 5] Pesky Elf Forum

{Web Exploitation = XSS}

Previous[Day 4] Santa's Running BehindNext[Day 6] Patch Management Is Hard

Last updated 3 years ago

Was this helpful?

Story

The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they've installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.

Challenge

Logging in with the given credentials returns the following.

Username: McSkidy

Password: password

Visiting the settings page reveals a password reset feature.

Posting the following as a comment reveals that the platform is vulnerable to stored XSS attacks. and any payload posted as a comment will run when another user accesses the page. 

<script>alert(1)</script>

Now I needed to chain this stored XSS with a password reset attack against the grinch account and I should be able to get in. The password reset is revealed when trying to change the password

http://10.10.31.34/settings?new_password=nee

Next, I posted a comment with the following contents to change the password of any visitor that visits that thread to neewashere

<script>fetch('/settings?new_password=neewashere');</script>

After waiting for about a minute or so, I was able to login to the grinch account with neewashere as the password. I was also able to see the active plugin and disable it.

What flag did you get when you disabled the plugin?

  • THM{NO_MO**_*****}

🎄