
Hi everyone!
In this write-up, we’ll solve the HackTheBox web challenge Secure Notes. It’s a classic prototype pollution challenge combined with a tricky localhost bypass on the /flag endpoint. I really enjoyed this one because it forces you to dig deep into how Node.js handles socket properties and how Mongoose can be tricked into polluting Object.prototype.
If you’re new to these kinds of challenges, don’t worry, I’ll explain everything step by step, including the exact logic behind why the exploit works. Let’s dive in!
Challenge Active · Write-up Locked
Hack The Box Policy Compliant
This challenge is currently active on Hack The Box. To respect platform rules and ensure fair play, the full technical write-up is temporarily locked.
