TryHackMe Sequence - Full Walkthrough 2025 - XSS - CSRF - Docker Escape

🚩 Chain multiple vulnerabilities to take control of a system. 🚩 🚩🚩 Room Link: 🚩🚩 https://tryhackme.com/room/sequence 😸Scenario:😸 Robert made some last-minute updates to the review[.]thm website before heading off on vacation. He claims that the secret information of the financiers is fully protected. But are his defenses truly airtight? Your challenge is to exploit the vulnerabilities and gain complete control of the system. 🎲🎲 Room Overview 🎲🎲 Solving this room involved many steps and chaining many vulnerabilities together. (XSS, CSRF, Docker escape) 🐛 1- Contact page vulnerable to XSS, we used this fact to get moderator user cookie. 🐛 2- With mod access we get our first flag, we can chat to admin, also we can update our password, an option to update role to admin but only admin can use this feature. both forms are protected by CSRF token. 🐛 3- We discover the fist weakness of the app as CSRF token is just md5 value for username. 🐛 4- We send a link to admin on chat to upgrade our role to admin. 🐛 5- Accessing admin portal give us admin flag and access to finance portal, upload php reverse shell and get access to the machine. 🐛 6- We find ourself inside the container, but we found Docker socket mounted inside the container (/var/run/docker.sock) which give us easy way to escape to host and get root flag. 🚩🚩 Commands used on the video: https://github.com/djalilayed/tryhackme/tree/main/Sequence 🚩🚩 Penelope Shell: https://github.com/brightio/penelope ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. #tryhackme