RTFM Hackerone CTF Writeup

Published on December 14, 2021Updated on January 14, 2022

Flag 0

Hint Given:- Wordlists will help you find something to do

  • Let's start with basic fuzzing on the /api/v1 endpoint and check what we got  
  • gobuster dir -w wordlist.txt -u
  • After the fuzzing was completed we found the following endpoints 
  • /config
  • If we send a request to /config we will find out the first flag
  • screenshot

Flag 1

Hint Given:- If a GET doesn’t do anything, try a different HTTP verb

  • If we send a get request to the user endpoint we will see that in the response it says X-Token header authentication missing
  • screenshot
  • let's try to include an X-Token in our headers and provide any default value and it says Invalid Token
  • screenshot
  • On Changing the HTTP method to post it says missing username and password which shows that the user is a post endpoint and takes to parameters username and password.
  • screenshot
  • On sending the request with username and password we get our flag
  • screenshot

Flag 2

Hint Given  Maybe you can edit your profile? but what fields can you change?

  • IN the previous flag we got an endpoint to log in, send a post request to api/v1/user/login with the username and password and we got a token
  • screenshot
  • if we logically think here is means that we can edit for a profile which means a put request but what can we update so in the previous flag we got a token we will use that in the x-token header and will send a put request to the user and we got a response now we need to find out the updatable field
  • screenshot
  • so we will start brute-forcing and we got a different response on avatar it only accepts a URL
  • screenshot
  • on various tries, I found there is an ssrf so when trying localhost/api/v1/secrets we got a flag
  • screenshot
  • screenshot

Flag 3

Hint Given Sometimes developers hide extra features into a page… but how can you access it?

  • After almost fuzzing everything I didn't find anything so I went back to parameters I found I started fuzzing parameters there and by applying to filter I got an endpoint verbose. 
  • ffuf -u -w wordlist.txt -fs 1-20 -s
  • on visiting it I got the flag 
  • screenshot

Flag 4

Have you read the new version of the API's documentation?

  • After a lot of fuzzing and brute-forcing the api/v2 i found the flag which was in the swagger.json file
  • screenshot

Flag 5

How can you use the same session across multiple different instances and versions?

  • If we send a get request to GET /4466a43d24/api/v2/admin/user-list it gives us the response Your user level needs to be an admin
  • screenshot
  • then we need admin access to get the list. we will register with user /user?=admin and we will get a token 
  • screenshot
  • after sending the token with a response we got the flag 
  • screenshot

Flag 6

Some features were never quite finished properly in some versions

  • returning to api/v1 and fuzzing there we got a flag at post/1 
  • screenshot

Flag 7

Take a close look at the returned headers from all of your endpoints, is there anything different about one of them? Maybe there's a second server somewhere? Possibly we can get access to things higher up...

  • send get request to api/v1/post-analytics/ and you will get a response but when you do it without the slash api/v1/post-analytics you will get a redirect.
  • screenshot
  • There you can traverse the directory so to escape the / if we set ..\ we see the public folder and upon ..\private we got the flag.
  • screenshot




News Letter

Make sure to subscribe to our newsletter and be the first to know the news.