Challenge Overview
Can you try to get access to this website to get the flag?
You can download the source here.
The website is running here. Can you log in?
Solution
First by downloading the source and looking at the app/utils/seed.ts and app/utils/database.ts the email can be found and the database being used (MongoDB).
HackTricks has a good introduction to NoSQL injection. For basic authentication bypass, there is not equal ($ne) or greater ($gt), in the JSON format this could be used for the password {"$ne": null}.
Credentials:
User: joshiriya355@mumbama.com
Password: {"$ne":"null"}
Before inputting the credentials, to capture the network activity the developer tools under "Network" could be used. Refresh the page initially, then submit the credentials. Under /api/login response this is what is shown:
[{"_id":"65f08c8fcc707a71f4b10033","email":"joshiriya355@mumbama.com","firstName":"Josh","lastName":"Iriya","password":"Je80T8M7sUA","token":"cGljb0NURntqQmhEMnk3WG9OelB2XzFZeFM5RXc1cUwwdUk2cGFzcWxfaW5qZWN0aW9uX2YyZjE4NWYyfQ==","__v":0}]
The token is base64 and when decoded with CyberChef it gives the flag.
Flag: picoCTF{jBhD2y7XoNzPv_1YxS9Ew5qL0uI6pasql_injection_f2f1...}