[Day 5] Pesky Elf Forum

{Web Exploitation = XSS}


The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they've installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.


Logging in with the given credentials returns the following.

Username: McSkidy

Password: password

Visiting the settings page reveals a password reset feature.

Posting the following as a comment reveals that the platform is vulnerable to stored XSS attacks. and any payload posted as a comment will run when another user accesses the page.


Now I needed to chain this stored XSS with a password reset attack against the grinch account and I should be able to get in. The password reset is revealed when trying to change the password

Next, I posted a comment with the following contents to change the password of any visitor that visits that thread to neewashere


After waiting for about a minute or so, I was able to login to the grinch account with neewashere as the password. I was also able to see the active plugin and disable it.

What flag did you get when you disabled the plugin?

  • THM{NO_MO**_*****}

Last updated