Day-5:Pesky Elf Forum

https://tryhackme.com/room/adventofcyber3

Gaining Access

• Login using the provided credentials

  McSkidy
  password
  

• Now click on the settings option.
• Now change the password
• Next you will notice the new password is being reflected in the URL
  
• Go to the any forum and type the payload in the comment section

  <script>fetch('/settings?new_password=123');</script>
  

• So now when any user opens the forum his/her password will change to 123.
• Now logout and login as grinch using the password 123.
  
• Click on Disable

Flag