In this write-up, we will solve the NeoVault challenge from HackTheBox. The goal is to analyze the web application, identify its weaknesses, and use them to gain command execution in order to retrieve the flag. Along the way, we will break down each step of the exploitation process to clearly demonstrate how the vulnerability can be discovered and leveraged.

Now let’s navigate to the website.

Now let’s try to register a new account

Now let’s see the transaction tab.

Notice that we found that there was a user named neo_system that have transferred a money to us.

Notice let’s download the transaction history PDF

As we see we found that the user neo_system transferred 100$ to SecretRemo

Now let’s see the download request

Please note that it’s a post request with no parameters sent !!!

Now let’s try to leak the user IDs

Notice that we managed to find the ID of the neo_system user

Now let’s go back to the download request and add the id parameter to the request with the id of the neo_system with v1 API