noSQL injection Skills Assessment II

HTB Content Academy
1

Hi there,

I’m writing here because I’m stuck since a while in the Skill Assessment II in the noSQL Injection module.
I’m pretty sure the username parameter is vulnerable because inputing a " cause an error 500.

I tried to re-imagine what the backend is doing re-using what I learned in the module:

this.username === "<username>"

Because doing this and replace with a " occurs an error too, which match with the behavior of the target.

But when I try to inject the well known payload " || true || "" == ", that returns a true on my test, it fails, the credentials are incorrect.

I also tried a simpler attack passing the parameters username[$ne]=“” but it fails complaining about the missing parameter username, I guess the code on the server side is sanitized correctly agains this kind of attack.

I can’t find another way to do it, any help would be appreciated

2

Ok found it, I struggle so much before understand what to look for…

4

Hi, I am also facing the same problem here, can you give me a little hint

5

Hello!
There is one type of attack that is mentioned in the lesson but never illustrated. Now is the time to train on it.

2 Likes
6

Can you give me some other suggestions? I tried the same as you, but failed :(

7

Your main difficulty is that whatever the result of your injection you can’t see anything in the result (it’s always the same answer).
There is a specific type of injection for this use case, just a matter of time!

1 Like
8

I don’t quite understand what you mean. Can you give me some specific suggestions QAQ

9

I sent you a DM

10

Thanks for your suggestion, I finally got the flag. :slight_smile:
But I have a problem.
In my automation script, I cannot confirm the length of the password in advance, so I wrote a long for loop. Is there any way to confirm the length of the password in advance

11

Thank you again for your help. I have found a way to confirm the length of the password :slight_smile:

1 Like
12

Hello, I’m attempting the assessment, but I’m stuck and no longer sure I’m doing this right. I recovered a password hash, not the password itself. The hash does not exist on crackstation.net. I know that there is almost no chance I could crack it since Crack Station already has all the words from seclists and many other sources. The hash itself does not work as a password. I also checked if other users exist, but there isn’t.

TL;DR: there is only one user b**** and a hash, which I don’t know what to do with.

Could anyone give me a hint if I’m going in the right direction?

13

Well, one hint:
There is another way to obtain the password… :slight_smile: For that, you have to guess something else.

1 Like
14

Thank you! It seems so obvious after figuring it out :sweat_smile:

15

Need help…I can’t get the time payload right

16

Between the two “or conjunction” you can insert something to delay the response!

17

Thanks finally got it…after finish other module first.:slight_smile:

18

Anybody can provide me a hint? Been stuck on this for a while, and can’t find any difference in the case if this was a blind injection. The server seems to search for the parameter name and complains if it’s missing. I was able to guess the user but for the other functions forget and token I’m still hitting a brick wall.

19

Talk about a subtle indicator. Guess that was why in my exam the doctor told me to focus on the dot.
:mag: :wink:

20

For anyone who is stuck like I was - I’d suggest taking a few minutes to enumerate the the site and see what options are available before immediately jumping into crafting an exploit. This may give you some clues on what it is that you’d like to hunt for.

1 Like
23

Who deleted my post