💘 Cupid’s Matchmaker – TryHackMe Walkthrough (Google Ads Friendly)

 

💘 Cupid’s Matchmaker – TryHackMe Walkthrough (Google Ads Friendly)

🧩 Room Details

  • Platform: TryHackMe

  • Category: Web


  • Difficulty:     Easy

  • Room Name: Cupid’s Matchmaker

  • Target URL: http://10.49.159.61:5000

📌 Overview

Cupid’s Matchmaker is a beginner-friendly web exploitation challenge on TryHackMe. The application claims to avoid AI algorithms and instead uses real humans to review matchmaking surveys. However, as ethical hackers, our goal is to identify potential vulnerabilities within the web application.

This room focuses on practical web exploitation skills, particularly client-side injection flaws.

🎯 Objective

Your mission is simple:

  • Analyze the web application.

  • Identify vulnerabilities.

  • Exploit the weakness.

  • Capture the flag.

🔍 Initial Enumeration

After accessing the web app, you’ll notice a personality survey form where users submit information to be matched.

Key observation:

  • User input is displayed or processed somewhere in the application.

  • There appears to be minimal sanitization on user input fields.

This hints at a possible Cross-Site Scripting (XSS) vulnerability.

⚡ Vulnerability Identified – Cross-Site Scripting (XSS)

What is XSS?

Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

In this challenge:

  • User input was not properly sanitized.

  • JavaScript payloads could be injected.

  • The payload executed in the browser context.

🛠 Exploitation Process (High-Level Overview)

  1. Submit a test payload in a form field.

  2. Confirm whether JavaScript executes.

  3. Modify payload if needed.

  4. Trigger the application to process the input.

  5. Capture the flag once the payload executes successfully.

This room is designed to demonstrate how improper input validation can lead to client-side script execution.

🏁 Final Flag

THM{XSS_CuP1d_Str1k3s_Ag41n}

📚 Key Learning Points

  • Always validate and sanitize user input.

  • Never trust client-side data.

  • Reflected and stored XSS are common beginner-level vulnerabilities.

  • Proper output encoding prevents script injection.

  • Web exploitation often begins with simple input testing.

🔐 Defensive Takeaway

If you are a developer:

  • Use output encoding libraries.

  • Implement Content Security Policy (CSP).

  • Validate and sanitize all user input.

  • Use modern frameworks that auto-escape outputs.

💡 Conclusion

Cupid’s Matchmaker is a great beginner web security challenge that reinforces the importance of input validation and awareness of client-side vulnerabilities.

If you're preparing for:

  • Web security assessments

  • Bug bounty programs

  • Penetration testing roles

  • Cybersecurity certifications

This room is a solid starting point.

Comments

Post a Comment

Popular Posts