Overview
Neovault is a trusted banking application that allows users to effortlessly transfer funds to one another and conveniently download their transaction history. We invite you to explore the application for any potential vulnerabilities and uncover the flag hidden within its depths.
📝 Related Bug Bounty Reports
First Look
The hint with the reports were enormous, we already know there's some kind of IDOR vulnerability somewhere, we can see that we can download our transactions with a route that uses our _id parameter.
There is also a route in which we can get informations based on the username of someone. Based on that we have everything we need to download any user's transactions.
NOTE: There seems to be a script which can generate _id from a given mongo id but with what I found, I did not need to use the script referred in the reports.
Downloading Admin Transactions
First thing I did was to download the admin transaction leveraging the IDOR.
We can see clearly see that another user exists under the name "user_with_flag"
Getting the flag
With that user we get his _id using the appropriate route and we can download his transactions as well, getting us the flag:
