NeoVault
Context
NeoVault is a banking web application in Bug Bounty CTF where you can transfer funds.
Challenge Description
NeoVault is a trusted banking application that allows users to effortlessly transfer funds to one another and conveniently download their transaction history. We invite you to explore the application for any potential vulnerabilities and uncover the flag hidden within its depths.
📝 Related Bug Bounty Reports
- Bug Report #1 - Mongo Object ID Prediction
- Bug Report #2 - IDOR
Analysis
I focused on the provided Bug Bounty Reports, as they proved crucial in the previous JinjaCare challenge.
Bounty Report #1 Analysis
The first report provided valuable insights about MongoDB Object Id generation and prediction.
Key insight: The machine identifier remains constant as long as the database runs on the same machine. The challenge lies in guessing Object IDs by incrementing counter and timestamp values, as MongoDB generates and assigns Object IDs at a system level.
Exploitation Process
API Endpoint Discovery
Using Burp Suite (community edition) intercept at /dashboard, I discovered these API endpoints:
/api/v2/transactions/categories-spending
/api/v2/transactions/balance-history
/api/v2/auth/me
/api/v2/transactionsTransaction Data Analysis
From api/v2/transactions, I retrieved JSON data containing important IDs:
{
"transactions":[{
"_id":"685ea6813ac65c4cbc5585be",
"fromUser":{
"_id":"685ea4dc3ac65c4cbc558493",
"username":"testing"
},
"toUser":{
"_id":"685ea41a3ac65c4cbc558485",
"username":"neo_system"
},
"amount":1,
"description":"{{ 7 * 7 }}",
"category":"Shopping",
"date":"2025-06-27T14:11:13.983Z"
}]
}JWT Token Analysis
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY4NWVhNGRjM2FjNjVjNGNiYzU1ODQ5MyIsImlhdCI6MTc1MTAzNjc0OCwiZXhwIjoxNzUxMDQwMzQ4fQ.mlk9XyGxc4lpDIBfswyeqrcNRj5GplORnY_7_1nr3FwBurp Suite Intruder Attack
Tools and Scripts
MongoDB ObjectID Predictor
python3 final.py <mongo-object-id-here>JWT Token Converter
Script to convert MongoDB ObjectIDs to JWT tokens:
node convert-ids-to-jwt.js