Secure Notes – HTB Writeup | Web Challenge

Secure Notes - HTB Writeup | Web Challenge

Hi everyone!

In this write-up, we’ll solve the HackTheBox web challenge Secure Notes. It’s a classic prototype pollution challenge combined with a tricky localhost bypass on the /flag endpoint. I really enjoyed this one because it forces you to dig deep into how Node.js handles socket properties and how Mongoose can be tricked into polluting Object.prototype.

If you’re new to these kinds of challenges, don’t worry, I’ll explain everything step by step, including the exact logic behind why the exploit works. Let’s dive in!

🔒
WRITE-UP STATUS

Challenge Active · Write-up Locked

Hack The Box Policy Compliant

This challenge is currently active on Hack The Box. To respect platform rules and ensure fair play, the full technical write-up is temporarily locked.

⏳ Write-up will be released after challenge retirement

Leave a Reply

Your email address will not be published. Required fields are marked *