How Can XSS Be Used to Access Sensitive Files | TryHackMe The Sticker Shop

The post is a detailed walkthrough of a TryHackMe challenge called “The Sticker Shop,” which explores Cross-Site Scripting (XSS) vulnerabilities and how they can be leveraged to compromise a system.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

Table of Contents:About The ExamExam Preparation TipsIntroductory ConceptsDomain 1: Security OperationsDomain 2…

Offensive Security Certified Professional Study Notes and Guide

This is a 1562 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

Objective of the Challenge

Exploit this vulnerability to gain access to sensitive information, such as a flag file.

Investigate an XSS vulnerability in a fictitious Sticker Shop web application.

Step-by-Step Breakdown

Introduction

• The challenge demonstrates how XSS vulnerabilities allow attackers to:

1. Interact with the server.
2. Access sensitive files.

• The Sticker Shop’s website was built by inexperienced developers, making it vulnerable.

Exploration of the Website

• Website Features:
• Displays products (stickers), but they are non-interactive.
• A feedback form accepts user inputs.
• Initial Investigations:
• Reviewed the page’s source code for hidden notes or developer comments but found nothing.
• Tested the feedback form, as it accepts user input and interacts with the server backend.

Testing for XSS

• Reflected XSS:
• Attempted basic XSS payloads, such as an alert script, to observe if inputs were reflected in the server response.
• These tests did not work, ruling out reflected XSS.
• Blind XSS:
• Crafted a payload using an <img> tag with a nonexistent source to trigger an error.
• When the error occurred, a JavaScript fetch request was sent to the attacker’s server to test whether the server was executing malicious scripts.
• Successfully confirmed the server’s vulnerability to blind XSS.

Exploiting the Vulnerability

• Step 1: Read the Flag File
• Modified the payload to:

1. Fetch the contents of the flag.txt file.
2. Transfer the file contents to the attacker’s server using JavaScript.

• Payload Details:
• Constructed a custom JavaScript payload embedded in an <img> tag.
• Used error handling to trigger a fetch request to the flag.txt file on the server.
• Redirected the file contents to the attacker’s server.
• Step 2: Enhance the Attack
• Rewrote the attack using a full JavaScript wrapper for better flexibility and clarity.
• Included error handling, variable definitions, and HTTP requests to fetch and transmit the flag securely.

Key Learnings

• XSS vulnerabilities can be exploited to retrieve sensitive information when combined with creative payloads.
• Blind XSS attacks allow attackers to bypass restrictions where server responses are not directly visible.
• Crafting advanced payloads, such as JavaScript wrappers, enables more complex exploitation.

Conclusion

• Successfully retrieved the flag by leveraging blind XSS.
• Demonstrated the process of identifying and exploiting web vulnerabilities step-by-step.
• Emphasized the importance of secure web development practices to avoid such vulnerabilities.

TryHackMe The Sticker Shop | Room Answers

What is the content of flag.txt?
THM{83789a69074f636f64a38879cfcabe8b62305ee6}

Video Walkthrough