Advent Of Cyber 3 - Day 5
tl;dr:
Blind XSS
login to the elf forum and click any of the posts.
Create a new post with the content:
<script>fetch('/settings?new_password=pass123');</script>
wait for about a minute and then try to login as the grinch, with password: pass123
it should be successful because the grinch is moderating the forum quite frequently.
deactivate the buttmas plugin to receive flag: THM{NO_MORE_BUTTMAS}
EOF