The challenge has no description and it kinda leaves me lost. Is it supposed to be a guessing game?
Has anyone solved it and can give a tip?
I haven’t solved it yet.
Some observations i found-
- There is a script.js file which calls to an etherscan api address(different from the shown wallet address) alongwith the api key.
- It uses an algo to convert the result value to balance.
- withdraw option instead calls the local url?/api/withdraw
- add balance option does not do anything
- withdraw api call seems interesting? there are also the api/login, api/register endpoints…but none of the api endpoint i enumed , had GET method
somehow that balance is not reflected in the webpage output based on the url?/home api call as per observ. 1.
**May be the withdraw function can be utilized further
If anyone can guide/nudge me here ?
am i even going in the right direction or i have totally lost my marbles?
I’m the same theory, I think this is client side proto pollution but i have to say I am lost because there is no real “try and get this or do that” description. But that’s just me.
Nudges appreciate and if I find anything I will post.
I love easy HTB challenges xP
It is important to understand “HPP”
I haven’t solved it so far, and I don’t know how and where should I use HPP
That was a… weird challenge. Check the added description.
I’ve made some headway so far, hitting some minor troubles. Would someone who has cleared it be able to message me? I don’t want to post any spoilers/hints on this thread.
Parameter Pollution is the hint as well as solution
This is a precious hint.
did you solve it ? I’m lost too
Solved. Pretty easy challenge when you know the value needed lol. Was scratching my head on that one for a bit.
Don’t make it more complicated that it actually is. Read the code
Yes and as the other comments say, it is easy when you know what to look for. Don’t overthink.