This is a Write Up on how to complete the challenge Manager on Hack The Box.

*If you will need to have a proxy utility like Burp and a device to complete this challenge. Here is a link to my guide on setting both up if needed.

The API Version for HTB Challenges needs to be level 29 or earlier.

First we will download Manager from HTB Challenges. Once downloaded we can extract the files to our workspace.

With the Manager.apk file we can drag it to our Android Emulator to install it.

We can now see Manager on the emulator.

Opening the application shows inputs for the IP address and port from HTB.

Inserting the IP address and port from HTB and clicking connect will reveal a Login Form.

Trying to login as test:test reveals the message “User Not Found”.

Back in Burp we can see the POST request.

Let’s try and register a user for the application. I will use test:test.

With the test user created we can test these requests to see if we find any issues.

Let’s analyze the request in Repeater.

We are able to successfully update our password. What if we were able to update another users?

We can successfully update the admin password due to a broken access control oversight.

Now we can login as admin with the password test and retrieve the flag.

That completes the challenge! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod