Cybersecurity

HackTheBox - Sorcery

IppSec
IppSecApr 25, 2026

Why It Matters

Understanding Neo4j injection and AI‑assisted exploitation equips security teams to detect and mitigate emerging attack surfaces in modern web stacks, especially those leveraging containerized services.

Key Takeaways

  • Identify Neo4j injection via malformed product query parameters.
  • Use AI assistance to craft injection payloads quickly.
  • Exploit passkey authentication to forge credentials and log in.
  • Recognize Docker container hints from TTL differences for exploitation.
  • Combine source code analysis with Burp to extract registration key.

Summary

The video walks through the Hack The Box "Sorcery" machine, beginning with standard enumeration that reveals only SSH and HTTPS services. The HTTPS site runs a minimal Next.js front‑end backed by a Rust Rocket server, hinting at a Neo4j database. Early testing shows error messages on malformed quotes, prompting the author to investigate the source code and discover a Neo4j Cypher query vulnerable to injection. Key insights emerge as the presenter leverages Burp Suite and Claude, an AI assistant, to craft a Cypher UNION payload that extracts the registration key and user password hashes. By manipulating the templating brackets and commenting out the remainder of the query, a full data dump is achieved, demonstrating the power of AI‑augmented exploitation. The walkthrough also covers the newer pass‑key authentication mechanism, showing how to forge a valid pass‑key and log in as an admin user. Notable moments include the TTL analysis that suggests the web server runs in a separate Docker container, affecting available binaries for post‑exploitation. The presenter also highlights the importance of reviewing the repository linked from the site, which contains the full Rust source, enabling precise identification of injection points. Throughout, the video balances manual probing with AI‑driven suggestions, illustrating a hybrid approach to modern CTF challenges. For practitioners, the Sorcery box underscores the need to recognize non‑SQL injection vectors, adapt to emerging authentication schemes, and consider containerization nuances during exploitation. It also showcases how integrating AI tools can accelerate payload development, though human verification remains essential.

Original Description

00:00 - Introduciton
00:40 - Start of nmap
05:00 - Logging into the website, discovering some type of injection. Sending it to Claude in the background, while we look at it.
09:40 - Playing with a Neo4j/Cypher injection, found the query in the source code
20:30 - When we register as a seller, we can create products there is XSS here
27:20 - Using CSRF to have the user send us the page they are on, which is how we know the username
33:40 - Using Chrome to enroll in passkey (WebAuthn) login via a virtual passkey, looking at the HTTP Requests in BurpSuite
39:50 - Modifying our CSRF Script to start the enrollment of a PassKey and then send the challenge to our box, which lets us forge a response
46:25 - Start of creating our Flask App that uses the Soft-WebAuthN library to act as a virtual passkey, this lets us complete the challenge/response of passkeys
1:23:02 - Finally got the passkey registered via JS, now we need actually authenticate via the passkey so we can grab the cookie
1:39:00 - Showing the unintended that lets us skip the XSS and PassKey Step. Using a Cypher Query to save update the admin password then logging in as them
1:48:00 - Admin has the ability to send TCP Packets and specify data, showing this by making a request to a webserver
1:53:50 - Looking at the Rust Code, seeing it executes anything sent to the update topic of Kafka. Using Claude to build us the TCP Packet we can send to kafka and trigger RCE
2:02:30 - Uploading Chisel so we can easily pivot around, then downloading a certificate off the FTP Server
2:09:40 - Using pem2john to try and crack the RSA Certificate, finding out i needed to update pem2john to get it to work.
2:22:30 - Using OpenSSL so sign a key with the CA,
2:24:30 - Using MITMDump to forward all requests to gitea, and dump the traffic so we can phish the user, then update the DNS Container to include our hostname and swaks to email the user
2:33:00 - Got tom_summers credentials which gets us SSH Access, finding a xvfb dump, converting it to png and getting the password of the screen
2:37:50 - pspy gets us a password that lets us into the Docker registry
2:45:50 - Using drg.py (Docker Registry Grabber) to download the container and finding another password
2:51:45 - Doing some FreeIPA (Kerberos on Linux) jumps to get to root by adding a user to a group and manipulating sudo

Comments

Want to join the conversation?

Loading comments...