Official Neonify Discussion

Official discussion thread for Neonify. Please do not post any spoilers or big hints.

1 Like

I would love to get a hint \ maybe someone interested in doing it togther on discord

it seems there is some whitelisting going on… is it really bypassable? hints?

May be HTTP Request Smuggling.

But it only affects WEBrick 1.6.0 or prior

UPDATE: Resolved.
@tidena Yes, possible.

Hello fellas,
I dont know what to do
i tried the chunked method but my request lend nothing
I would reall really reallly like a hint;
I asked on discord but no reply;
I also don’t mind if you could give me the full walthrough but one hint is enough for now please

I tried but it still gives mallicius input detected

You might want to look in to the regex further. It might be more INSECURE then you think.

If anyone gets stuck or wants a nudge feel free to dm :slight_smile:

You don’t need to know anything about docker really unless you want to run the machine locally for testing.

For anyone looking for a hint, the most important thing for any web challenge is to find any user controlled input, and then follow it all the way through the code. As you follow that code path, google any functions or packages that are acting on it that you don’t know what they are or understand what they are doing.

If you understand what is happening, then still google the function or package but add “exploit” or “vulnerability” to the search and see if you get any interesting results.

Just doing that you’ll knock out a majority of the challenges, as well as gain a lot of understanding about how various programming languages work.


I didn’t find this to be ‘easy’. I definitely made assumptions on the vulnerability and followed a rabbit hole that consumed about two days–HTTP Smuggling was not a fruitful endeavor me, though it seems @h47d3n may have had luck with smuggling (I’d love to see how you did that).

Some helpful comments from @Gizzle definitely led me down a path to resolution, though the implementation was not quite so straight forward. Also, I wasted a lot of time using Burp, Curl was definitely the way to go with this particular exploit throw. Hint, I was also successful just pasting my payload in the browser web dev tools feature, but could still not get Burp to treat me right.

1 Like

Definitely not easy, but glad to hear you got it @nv1us ! I also got the flag using curl.

Last hint for people getting stuck on the payload part: when you try to encode the payload, make sure ALL special characters are encoded. Burp’s CTRL+U is not your friend.

I also use curl to bypass.
Just pay attention on regular expression.

1 Like

Thanks. I’ll read about request smuggling.

Hi I am new to here.
After checking several http smug payload. All return malicious detected.
Hope some one can give me some hint

Some tips regarding testing vulnerabilities that has helped me in this machine and others:

  • Read the source code line by line and file to file, at least 3/4 times
  • If there is a library, command or piece of code that you don’t understand, google it until you do
  • In the source code that is given to you, if the flag is not in a DB and is on the file system, that means that there must be a way for you to execute code and access the flag on the target file system.
  • There must also be a way for you to input a command or piece of code into the code (user input being one way)
  • From my experience, a lot of time is wasted on network requests and coding/decoding. You might have the answer in your hand, but a tiny encoding issues can make it wrong.
  • Best way to debug and try encoding issues is to run the docker container, and hard code user inputs without receiving them over network requests to make sure you are not messing up in the encoding part until you have a working exploit. Then you can go backwards in steps and see where the encoding is being the problem and research it.
  • For regex, a google search on “online regex test” would give you nice and descriptive websites which allow you to try different things

Best of luck, and remember that the flag may be closer to you than you think, so don’t give up!


found out it uses whitelisting with regex but donno how to escape it. any hints ?

@inth3wild showed me he did it in Burp Suite. curl not required :slight_smile:

To everyone who’s trying out this challenge:
I can confirm that cURL is the best tip given.

The weakness was easy enough to find, but I really struggled with the payload.

If anyone needs a hint, feel free to DM me.