[Day 5] Pesky Elf Forum

{Web Exploitation = XSS}

Story

The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they've installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.

Challenge

Logging in with the given credentials returns the following.

Username: McSkidy

Password: password

Visiting the settings page reveals a password reset feature.

Posting the following as a comment reveals that the platform is vulnerable to stored XSS attacks. and any payload posted as a comment will run when another user accesses the page.

<script>alert(1)</script>

Now I needed to chain this stored XSS with a password reset attack against the grinch account and I should be able to get in. The password reset is revealed when trying to change the password

http://10.10.31.34/settings?new_password=nee

Next, I posted a comment with the following contents to change the password of any visitor that visits that thread to neewashere

<script>fetch('/settings?new_password=neewashere');</script>

After waiting for about a minute or so, I was able to login to the grinch account with neewashere as the password. I was also able to see the active plugin and disable it.

What flag did you get when you disabled the plugin?

  • THM{NO_MO**_*****}

Last updated