HTBank Web

The challenge has no description and it kinda leaves me lost. Is it supposed to be a guessing game?

Has anyone solved it and can give a tip?

Any nudges?

I haven’t solved it yet.

Some observations i found-

  1. There is a script.js file which calls to an etherscan api address(different from the shown wallet address) alongwith the api key.
  2. It uses an algo to convert the result value to balance.
  3. withdraw option instead calls the local url?/api/withdraw
  4. add balance option does not do anything
  5. withdraw api call seems interesting? there are also the api/login, api/register endpoints…but none of the api endpoint i enumed , had GET method

possible issues-
somehow that balance is not reflected in the webpage output based on the url?/home api call as per observ. 1.

**May be the withdraw function can be utilized further

If anyone can guide/nudge me here ?
am i even going in the right direction or i have totally lost my marbles?:face_with_spiral_eyes:

1 Like

I’m the same theory, I think this is client side proto pollution but i have to say I am lost because there is no real “try and get this or do that” description. But that’s just me.
Nudges appreciate and if I find anything I will post.
I love easy HTB challenges xP


It is important to understand “HPP”


I haven’t solved it so far, and I don’t know how and where should I use HPP :exploding_head:

That was a… weird challenge. Check the added description.

I’ve made some headway so far, hitting some minor troubles. Would someone who has cleared it be able to message me? I don’t want to post any spoilers/hints on this thread.

Parameter Pollution is the hint as well as solution


This is a precious hint.

did you solve it ? I’m lost too

Solved. Pretty easy challenge when you know the value needed lol. Was scratching my head on that one for a bit.

Don’t make it more complicated that it actually is. Read the code

Yes and as the other comments say, it is easy when you know what to look for. Don’t overthink.

Definitely, the comments were useful, if you are familiar with the vulnerability from the above, you will spot it in Source Code more easily.
Also, don’t change the content type of POST Request, like I did xD.