Toy Management

Event: Cyber Santa is Coming to Town – 2021 HackTheBox

Category: web

PTS: 300


the evil elves have changed the admin access to Santa’s Toy Management Portal. Can you get the access back and save the Christmas?

Opening the webpage we’re immediately prompted this access form:

A quick analysis of the source code can help us to resolve this challenge quiet easily.
Inside the database.js file, the code that check our credentials, we can see how the query is structured and see that it’s not sanitized:

This quickly translate into SQL injection vulnerability, in fact if we try using the most classic username with some default SQL comment character such as:


We can login as the admin user and get our flag