Pentest Everything

Hack The Box | OnlyHacks

In this walkthrough, we will be going through the OnlyHacks box on Hack The Box.

Room Banner

https://app.hackthebox.com/challenges/860

Successfully Pwned OnlyHacks

Completed and pwned this challenge on Hack The Box.

Owned

Hack The Box

Pwned

Challenge Description

Dating and matching can be exciting especially during Valentine's, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?

Challenge Overview

This challenge involves exploring the OnlyHacks web application to discover and exploit security flaws, ultimately leading to the exposure of sensitive data.

Web Application Analysis

Upon accessing the OnlyHacks platform, users can register, log in, browse profiles, and engage in conversations with matched users.

Dashboard Exploration

After successful authentication, users are presented with a dashboard displaying potential matches.

OnlyHacks Dashboard

Chat Functionality

Matching with another user enables the chat feature, allowing private messaging.

OnlyHacks Chat Interface

Vulnerability

While interacting with the chat feature, it's observed that the URL contains a parameter rid representing the chat room ID.

https://onlyhacks.htb/chat?rid=6

Manually modifying the rid value in the URL grants access to different chat rooms. For instance, changing rid=7 to rid=3 allows viewing another user's char without authorization. This vulnerability can be exploited to access restricted conversations and obtain sensitive information like the flag.

Accessing Unauthorized Chat

We successfully exploited the vulnerability to access the flag.