Comment on page
[Day 5] Pesky Elf Forum
{Web Exploitation = XSS}
The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they've installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.
Logging in with the given credentials returns the following.
Username: McSkidy
Password: password
Visiting the settings page reveals a password reset feature.
Posting the following as a comment reveals that the platform is vulnerable to stored XSS attacks. and any payload posted as a comment will run when another user accesses the page.
<script>alert(1)</script>
Now I needed to chain this stored XSS with a password reset attack against the
grinch account and I should be able to get in. The password reset is revealed when trying to change the passwordhttp://10.10.31.34/settings?new_password=nee
Next, I posted a comment with the following contents to change the password of any visitor that visits that thread to
neewashere<script>fetch('/settings?new_password=neewashere');</script>
After waiting for about a minute or so, I was able to login to the
grinch account with neewashere as the password. I was also able to see the active plugin and disable it.
What flag did you get when you disabled the plugin?
- THM{NO_MO**_*****}
Last modified 1yr ago