https://old.frang4.tech/tags/injection/ Recent content in Injection on Hugo en-us Thu, 10 Jul 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/cypher/writeup/ Thu, 10 Jul 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/cypher/writeup/ <p><code>Cypher</code> is a Hack The Box machine released on 01 Mar 2025</p> <h2 id="summary-how">Summary (How?)</h2> <p>Cypher is a HTB machine running a web app that relies on a Neo4j graph database. A <code>Cypher-injection</code> flaw lets us bypass the login logic and enumerate data. Then, an exposed directory holds a JAR file whose decompiled code reveals a custom Neo4j procedure that executes shell commands without sanitisation (<code>command injection</code>); exploiting that procedure yields remote code execution and a reverse shell.</p>