Neonify

Neonify is a challenge box that in the 'Web' category. It's just a web app that 'neonifies' your input. You are provided with the source code so you can see what is going on behind the scenes.

Looking at the regex we can see that the only characters allowed here are a-z and 0-9 (case insensitive since it has the '/i' at the end.

I found this article about bypassing ruby regex with a line feed and decided to give it a go.

It worked. So now we found a way to bypass the regex and just need to figure out how to get the flag.

Since we have the source code for the app already we know the path to the flag.txt so we can craft our request to read that file. I'm not that familiar with Ruby so I looked at this site and ended up with this payload: <%= File.open('flag.txt').read %>

This gave me the flag, and thus the challenge is completed.

PreviousHack The Box Challenges NextTryHackMe

Last updated 1 year ago