How Can XSS Be Used to Access Sensitive Files | TryHackMe The Sticker Shop

The post is a detailed walkthrough of a TryHackMe challenge called “The Sticker Shop,” which explores Cross-Site Scripting (XSS) vulnerabilities and how they can be leveraged to compromise a system.

COMPTIA Cyber Security Analyst (CySA+) Study Notes

Offensive Security Certified Professional Study Notes and Guide

Objective of the Challenge

Exploit this vulnerability to gain access to sensitive information, such as a flag file.

Investigate an XSS vulnerability in a fictitious Sticker Shop web application.

Step-by-Step Breakdown

Introduction

• The challenge demonstrates how XSS vulnerabilities allow attackers to:

1. Interact with the server.
2. Access sensitive files.

• The Sticker Shop’s website was built by inexperienced developers, making it vulnerable.

Exploration of the Website

• Website Features:
• Displays products (stickers), but they are non-interactive.
• A feedback form accepts user inputs.
• Initial Investigations:
• Reviewed the page’s source code for hidden notes or developer comments but found nothing.
• Tested the feedback form, as it accepts user input and interacts with the server backend.

Testing for XSS

• Reflected XSS:
• Attempted basic XSS payloads, such as an alert script, to observe if inputs were reflected in the server response.
• These tests did not work, ruling out reflected XSS.
• Blind XSS:
• Crafted a payload using an <img> tag with a nonexistent source to trigger an error.
• When the error occurred, a JavaScript fetch request was sent to the attacker’s server to test whether the server was executing malicious scripts.
• Successfully confirmed the server’s vulnerability to blind XSS.

Exploiting the Vulnerability

• Step 1: Read the Flag File
• Modified the payload to:

1. Fetch the contents of the flag.txt file.
2. Transfer the file contents to the attacker’s server using JavaScript.

• Payload Details:
• Constructed a custom JavaScript payload embedded in an <img> tag.
• Used error handling to trigger a fetch request to the flag.txt file on the server.
• Redirected the file contents to the attacker’s server.
• Step 2: Enhance the Attack
• Rewrote the attack using a full JavaScript wrapper for better flexibility and clarity.
• Included error handling, variable definitions, and HTTP requests to fetch and transmit the flag securely.

Key Learnings

• XSS vulnerabilities can be exploited to retrieve sensitive information when combined with creative payloads.
• Blind XSS attacks allow attackers to bypass restrictions where server responses are not directly visible.
• Crafting advanced payloads, such as JavaScript wrappers, enables more complex exploitation.

Conclusion

• Successfully retrieved the flag by leveraging blind XSS.
• Demonstrated the process of identifying and exploiting web vulnerabilities step-by-step.
• Emphasized the importance of secure web development practices to avoid such vulnerabilities.

TryHackMe The Sticker Shop | Room Answers

What is the content of flag.txt?
THM{83789a69074f636f64a38879cfcabe8b62305ee6}

Video Walkthrough