“The Elf Forum is where all the elves express their joy and excitement about Christmas, but Grinch Enterprises has one bad admin account, and they’ve installed a plugin that changes all mentions of Christmas to Buttmas!! McSkidy needs to find that admin account and disable the plugin.”
Link to Room: https://tryhackme.com/room/adventofcyber3#
Question #1: What flag did you get when you disabled the plugin?
The challenge starts by directing you to the Elf Forum:
I usually try not to read the official walkthroughs before I do a challenge, but it seems like you need the username and password combo from that section to get logged into the forum.
Though they are actually pretty easy to guess now that I see them…
Username: McSkidy
Password: password
Once logged in you will notice that there is a new settings button for the elf forum:
This will let you change McSkidy’s password. Change it to whatever you want:
After you do that, notice the URL:
Because of the way this is designed, if you were to get someone else to visit this URL, their own password could be changed to “buttmas”. Then you could log into their account and do whatever you want with it.
Choose one of the comment threads.
In the comment field you can leave some JavaScript.
This means that everyone who visits the page will unsuspectedly load the JavaScript, which will request the password change URL from earlier.
After you comment, you will see just a blank spot:
But behind the scenes the script is running:
Now all we do is wait for the Grinch to login…
After a minute or so, log out and then log back in as the Grinch
Username: grinch
Password: buttmas
Then head to the settings area. You will see there is a new option to disable his Buttmas plugin prank:
Disable it for your flag!
THM{NO_MORE_BUTTMAS}
Happy Holidays!❤
