NeoVault
Name: - Category: - Difficulty: Raw flag is stored in
Scenario
NeoVault attack path
Name: - Category: - Difficulty: Raw proof is stored in
Objective
Challenge walkthrough focused on Web evidence, validation, and reusable operator lessons.
Walkthrough flow
Source and route audit
Trust boundary flaw
Exploit request chain
Admin or proof proof
Source coverage
High source coverage
Status: complete. This article is generated from 5 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Web/NeoVault/writeup.md
- htb-challenge/Web/NeoVault/notes.md
- htb-challenge/Web/NeoVault/memory-summary.md
- htb-challenge/Web/NeoVault/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Web__NeoVault__notes.md.83fc55df56.md
Technical Walkthrough
Writeup
Challenge
- Name:
- Category:
- Difficulty:
Summary
Artifact Inventory
Analysis
Solve
Flag
Raw flag is stored in loot/flag.txt.
Lessons
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: NeoVault
- Category: Web
- Difficulty: Very Easy
- Remote instance: <TARGET>:30566
- Start time: 2026-05-21
- Operator: jennofrie
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
| /tmp/neovault_statement.pdf | 1830 | - | My initial 1-tx statement | |
| /tmp/neovault_after_transfer.pdf | 1875 | - | After 2 transactions |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| T+0 | GET / | - | Next.js app, nginx/1.22.1, login+register forms | HIGH | Map endpoints |
| T+5 | JS bundle analysis | analysis/routes.md | Two API versions v1+v2; full endpoint list; endpointsV1/V2 in chunk 25739 | HIGH | Test each |
| T+10 | Register + Login | - | Auth via HttpOnly cookie (JWT HS256 token); my id=6a0e99ac417f807b49e0c72f | HIGH | Explore auth |
| T+15 | GET /api/v2/auth/me | - | Returns {_id, username, balance, email} | HIGH | Other endpoints |
| T+20 | POST download-transactions | /tmp/neovault_statement.pdf | Returns PDF via PDFKit; 1830 bytes for 1 transaction | HIGH | Check IDOR |
| T+25 | IDOR attempts on download | - | userId/username/id body params IGNORED — session only | HIGH | Other vectors |
| T+30 | Inquire NoSQLi | - | $ne/$regex/$gt/$lt ALL work — confirmed NoSQL injection | HIGH | Enumerate users |
| T+35 | User enumeration via $gt | - | Found: neo_system, user_with_flag (ID: 6a0e982b417f807b49e0c726) | HIGH | Access account |
| T+40 | Login NoSQLi | - | Server-side validation blocks objects in email/password | HIGH | Other auth bypass |
| T+45 | v1 change-email | - | 500: req.user._id undefined — JWT stores id not _id in v1 middleware | HIGH | Dead end |
| T+50 | v2 change-email NoSQLi | - | 400 — password field rejects objects | HIGH | Other paths |
| T+55 | JWT crack (30 common secrets) | - | No match found | MEDIUM | Larger wordlist |
| T+60 | SSTI in description | - | {{7*7}} stored literally in PDF — no execution | HIGH | Dead end |
| T+65 | Mass assignment (isAdmin:true) | - | Accepted (201) but no extra privileges in /me | MEDIUM | Dead end |
Key Findings
- NoSQL injection <secret redacted> in /api/v2/auth/inquire endpoint
- user_with_flag (ID: 6a0e982b417f807b49e0c726) exists — likely holds the flag
- neo_system is a bot account that sends welcome bonuses to new users
- download-transactions endpoint uses session only (ignores body params)
- v1 API has req.user._id bug (undefined) — v1 JWT middleware stores as req.user.id
- v2 deposit endpoint returns "under maintenance"
- JWT uses HS256 — weak secret attack possible
Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Do not paste them here.
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
| 2026-05-28T03:11:04Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
| — | 0 | — | remote-only or no provided files | No local artifacts found under files/ |
| 2026-05-28T03:11:04Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting? And What is the Challenge Flag, The goal is to find the Flag
| 2026-05-28T03:11:04Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:11:04Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:11:04Z | research task | analysis/research/task-20260528T031104692733Z-ea6f2660.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-05-28T03:17:49Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-05-28T03:17:49Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting?
| 2026-05-28T03:17:49Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:17:49Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:17:49Z | research task | analysis/research/task-20260528T031749830452Z-99a55cc5.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-05-28T03:40:38Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-05-28T03:40:56Z | checkpoint recorded | analysis/checkpoint-triage-20260528T034056305211Z-37565b3a.md | Checkpoint for TRIAGE | High | Use checkpoint to drive next decision |
| 2026-05-28T03:41:08Z | evaluator | analysis/evaluator-20260528T034108566296Z-cb193739.md | Proceed | High | Use the risky wrapper to revalidate the current live NeoVault surface and then continue the exploit path |
| 2026-05-28T03:54:32Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-05-28T03:54:32Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting?
| 2026-05-28T03:54:32Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:54:32Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:54:32Z | research task | analysis/research/task-20260528T035432835680Z-66991b4a.md | Research task created for advisory investigation | Medium | Record research output |
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category:
- Challenge:
- Difficulty:
- Source workspace:
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Transfer to user_with_flag triggers bot auto-response with flag | neo_system is a bot; user_with_flag inserted right after neo_system (adjacent ObjectIDs) | No incoming tx from user_with_flag yet | Transfer to user_with_flag, check tx list | HIGH | OPEN |
| 2 | Forgot/reset password flow allows account takeover | Standard banking feature; not yet found | No reset endpoint found in JS | Probe /forgot-password, /reset-password, grep JS | MEDIUM | OPEN |
| 3 | user_with_flag email is predictable | Username pattern suggests automated account | Unknown email | Try register with common patterns (error = taken) | MEDIUM | OPEN |
| 4 | JWT secret crackable with larger wordlist | HS256; common secrets failed | Larger wordlist | hashcat with rockyou.txt | MEDIUM | OPEN |
| 5 | download-transactions IDOR via URL query param | Body params ignored; URL params not tested | No evidence yet | POST with ?userId=<secret redacted> in URL | LOW | OPEN |
| 6 | NoSQL injection in POST /transactions body | Inquire endpoint injectable; transfer body untested | No evidence | Send objects in amount/description | LOW | OPEN |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|---|---|---|---|
| IDOR body params on download-transactions | userId/username/id/_id/target/user/recipient/account | All return session user PDF (1911 bytes) | Server uses req.user.id only | If source code reveals different param name |
| NoSQL login bypass | {"$ne":null} in email/password fields | 400 Validation failed | Server-side express-validator rejects objects | If alternate content-type bypasses validation |
| SSTI in transfer description | {{77}}, <%= 77 %> | Stored literally in PDF | PDFKit not template-based | Never |
| v1 endpoint exploitation | change-email, deposit, transactions | 500/deprecated/deprecated | req.user._id bug; deprecation wrapper | Never |
| Mass assignment isAdmin | Register with isAdmin:true | 201 accepted, /me shows no extra fields | Field stripped or ignored | Never |
| JWT common secret crack | ~30 common secrets | No match | Secret not in common list | With larger wordlist |
| v2 change-email NoSQLi | password: <redacted>"$ne":"x"} | 400 Bad Request | Object rejected by validator | Never |
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category | |
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category | |
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category |
Notes
Scope
- Challenge: NeoVault
- Category: Web
- Difficulty: Very Easy
- Remote instance: <TARGET>:30566
- Start time: 2026-05-21
- Operator: <<secret redacted>>
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
| /tmp/neovault_statement.pdf | 1830 | - | My initial 1-tx statement | |
| /tmp/neovault_after_transfer.pdf | 1875 | - | After 2 transactions |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| T+0 | GET / | - | Next.js app, nginx/1.22.1, login+register forms | HIGH | Map endpoints |
| T+5 | JS bundle analysis | analysis/routes.md | Two API versions v1+v2; full endpoint list; endpointsV1/V2 in chunk 25739 | HIGH | Test each |
| T+10 | Register + Login | - | Auth via HttpOnly cookie (JWT HS256 token); my id= <REDACTED> | ||
| T+15 | GET /api/v2/auth/me | - | Returns {_id, username, balance, email} | HIGH | Other endpoints |
| T+20 | POST download-transactions | /tmp/neovault_statement.pdf | Returns PDF via PDFKit; 1830 bytes for 1 transaction | HIGH | Check IDOR |
| T+25 | IDOR attempts on download | - | userId/username/id body params IGNORED — session only | HIGH | Other vectors |
| T+30 | Inquire NoSQLi | - | $ne/$regex/$gt/$lt ALL work — confirmed NoSQL injection | HIGH | Enumerate users |
| T+35 | User enumeration via $gt | - | Found: neo_system, user_with_flag (ID: 6a0e982b417f807b49e0c726) | HIGH | Access account |
| T+40 | Login NoSQLi | - | Server-side validation blocks objects in email/password | HIGH | Other auth bypass |
| T+45 | v1 change-email | - | 500: <REDACTED> | ||
| T+50 | v2 change-email NoSQLi | - | 400 — password field rejects objects | HIGH | Other paths |
| T+55 | JWT crack (30 common secrets) | - | No match found | MEDIUM | Larger wordlist |
| T+60 | SSTI in description | - | {{7*7}} stored literally in PDF — no execution | HIGH | Dead end |
| T+65 | Mass assignment (isAdmin:true) | - | Accepted (201) but no extra privileges in /me | MEDIUM | Dead end |
Key Findings
- NoSQL injection <secret redacted> in /api/v2/auth/inquire endpoint
- user_with_flag (ID: <REDACTED>
- neo_system is a bot account that sends welcome bonuses to new users
- download-transactions endpoint uses session only (ignores body params)
- v1 API has req.user._id bug (undefined) — v1 JWT middleware stores as req.user.id
- v2 deposit endpoint returns "under maintenance"
- JWT uses HS256 — weak secret attack possible
Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Do not paste them here.
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
| 2026-05-28T03:11:04Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
| — | 0 | — | remote-only or no provided files | No local artifacts found under files/ |
| 2026-05-28T03:11:04Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting? And What is the Challenge Flag, The goal is to find the Flag
| 2026-05-28T03:11:04Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:11:04Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:11:04Z | research task | analysis/research/task-20260528T031104692733Z-ea6f2660.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-05-28T03:17:49Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-05-28T03:17:49Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting?
| 2026-05-28T03:17:49Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:17:49Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:17:49Z | research task | analysis/research/task-20260528T031749830452Z-99a55cc5.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-05-28T03:40:38Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-05-28T03:40:56Z | checkpoint recorded | analysis/checkpoint-triage-20260528T034056305211Z-37565b3a.md | Checkpoint for TRIAGE | High | Use checkpoint to drive next decision |
| 2026-05-28T03:41:08Z | evaluator | analysis/evaluator-20260528T034108566296Z-cb193739.md | Proceed | High | Use the risky wrapper to revalidate the current live NeoVault surface and then continue the exploit path |
| 2026-05-28T03:54:32Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-05-28T03:54:32Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
Scenario
Neovault is a trusted banking app for fund transfers and downloading transaction history. You're invited to explore the app, find potential vulnerabilities, and uncover the hidden flag within.
Operator Question
What prior HTB web patterns and local challenge notes are most relevant to NeoVault before starting?
| 2026-05-28T03:54:32Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-05-28T03:54:32Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-05-28T03:54:32Z | research task | analysis/research/task-20260528T035432835680Z-66991b4a.md | Research task created for advisory investigation | Medium | Record research output |
Technical analogy
How to remember this solve
Think of the web app like a building with signs on every door. The solve usually comes from reading the map carefully, finding the door the app forgot to hide, then sending the exact request that proves you understand the route.
For NeoVault, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.