TryHackMe – Advent of Cyber 3 – Day 5

Day 5 – Pesky Elf Forum

The focus for Day 5 is Cross Site Scripting (XSS) vulnerabilities.

Launch the AttackBox and target machine for Day 5.

Open Firefox and navigate to the following address, substituting the IP for your target machine:

https://10-10-10-10.p.thmlabs.com

Note the use of dashes ‘-‘ rather than dots ‘.’ in between the octets of the target IP address.

You should see a page titled ‘Elf Forum’:

Elf forum page.

Click the ‘Login’ button and enter the credentials provided by THM:

Username: McSkidy

Password: password

Elf forum login.

Click on the ‘Settings’ button and change the password to ‘pass123. You’ll notice that the URL will change to the following:

https://10-10-10-10.p.thmlabs.com/settings?new_password=pass123

Go back to the forum and navigate to a thread. Scroll down to the comment entry section at the bottom of the page and enter:

hello <u>world</u>

<u> is an HTML tag that underlines text (<u> is the opening tag and </u> is the closing tag). We are testing to see if this HTML content will be filtered out.

Leaving a comment with html code.

After submitting our comment, we can see that we have successfully underlined the word ‘world’:

The html code worked, telling us that the input is unfiltered.

This tells us that HTML is unfiltered.

Now let’s try using a stored XSS attack by adding a comment with JavaScript, using the URL we found earlier:

Leaving a comment with Javascript to execute XSS attack.

When we post the comment it appears blank, so we need to check the source code to see if it’s still there or if it has been filtered:

Checking source code to see if Javascript from comment is present.

Any logged in users will have their passwords changed to ‘pass123’ if they visit this page!

Log out of McSkidy’s account and attempt to log in using:

username: Grinch

password: pass123

If the Grinch visited the page that we loaded our JavaScript coded onto, his password will have changed to ‘pass123’.

Navigate back to the ‘Settings’ page. At the bottom of the page you should see the plugin that the Grinch used to change all instances of ‘Christmas’ to ‘Buttmas’:

Christmas to Buttmas plugin and Disable option.

Disable this plugin and you should see the flag needed to answer the question.

Question 1

What flag did you get when you disabled the plugin?

Answer:

(Highlight below to see answer):

THM{NO_MORE_BUTTMAS}