OnlyHacks

Challenge Description

Dating and matching can be exciting especially during Valentine's, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?

Challenge Overview

This challenge involves exploring the OnlyHacks web application to discover and exploit security flaws, ultimately leading to the exposure of sensitive data.

Web Application Analysis

Upon accessing the OnlyHacks platform, users can register, log in, browse profiles, and engage in conversations with matched users.

Dashboard Exploration

After successful authentication, users are presented with a dashboard displaying potential matches.

Chat Functionality

Matching with another user enables the chat feature, allowing private messaging.

Vulnerability

While interacting with the chat feature, it's observed that the URL contains a parameter rid representing the chat room ID.

https://onlyhacks.htb/chat?rid=6

Manually modifying the rid value in the URL grants access to different chat rooms. For instance, changing rid=7 to rid=3 allows viewing another user's char without authorization. This vulnerability can be exploited to access restricted conversations and obtain sensitive information like the flag.

OnlyHacks has been Pwned!