CyberKavach QuestCon Series: Hawkins Laboratory Research Portal (BOLA Challenge)

-

Hawkins Laboratory Research Portal (BOLA Challenge)


Welcome back to the CyberKavach QuestCon write-up series! The PCCOE OWASP Student Chapter presents a walkthrough for the Hawkins Laboratory Research Portal challenge, a demonstration of Broken Object Level Authorization (BOLA) vulnerabilities in Stranger Things style.

Author: Aaryan Bhujang


Challenge Overview

  • Category: Web Application Security

  • Vulnerability: Broken Object Level Authorization (BOLA)

  • Theme: Stranger Things, Hawkins Laboratory

  • Objective: Exploit BOLA to access classified research notes and retrieve two unique flags.


Initial Reconnaissance

  1. Register a new user account.


POST /auth/register

Content-Type: application/json

{

  "username": "user",

  "password": "qwertyuiop"

}


  1. Login to obtain a JWT token.

POST /auth/login

Content-Type: application/json

{

  "username": "user", 

  "password": "qwertyuiop"

}



Portal Exploration

  • The portal has a dark Stranger Things theme, displaying 6 research projects.

  • Each project is led by a researcher: Dr. Eleven, Dr. Dustin, Dr. Max, Dr. Will, Dr. Mike, Dr. Lucas.

  • Each researcher’s name is clickable.


Target Discovery

  • Test each clickable name.

    • /users/eleven and /users/dustin are valid.

    • Others return 404 errors.

  • Only “Eleven” and “Dustin” have accessible researcher profiles.


API Reconnaissance & Bypassing Newer Defenses

  • Inspect network requests when clicking a researcher.

    • Notable endpoint: /api/v2/users/eleven (secured, only public data shown).

  • Try accessing an older API version: /api/v1/users/eleven with JWT token.


BOLA Vulnerability Exposed

  • Key Finding: /api/v1/users/eleven grants unauthorized account access.

  • Use JWT token in Authorization header.

  • The response leaks private user details, including researcher username and role.


Flag Extraction: Elevent’s Account

  • Call /api/v1/notes after pivoting to Eleven’s account.

  • The response includes the first flag.



Flag Extraction: Dustin’s Account

  • Repeat: pivot to /api/v1/users/dustin, then call /api/v1/notes.

  • The response includes the second flag.


Summary of Exploit Flow

  1. Register/login to get your JWT.

  2. Use valid researcher profile URLs to force role pivot using /api/v1/users/{target}.

  3. Directly access /api/v1/notes to receive notes for the current (now pivoted) account.

  4. Exfiltrate both flags.


Attack Flow: Why It Works

  • The BOLA vulnerability allows users to escalate privileges and access other users’ sensitive data.

  • No authorization checks in the v1 users endpoint means anyone can impersonate any other valid user by calling /api/v1/users/{id} then /api/v1/notes.


Key Insight

Modern API designs often deprecate older endpoints but fail to properly restrict them, leaving serious vulnerabilities open. Always audit for direct object reference paths and legacy endpoints during app assessments.


Congratulations to all solvers who exposed the secrets of Hawkins Lab and leveraged classic BOLA for maximum impact!


Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more