RTFM Hackerone CTF Writeup

Flag 0

Hint Given:- Wordlists will help you find something to do

• Let's start with basic fuzzing on the /api/v1 endpoint and check what we got  
• gobuster dir -w wordlist.txt -u http://35.227.24.107/89092085dd/api/v1
• After the fuzzing was completed we found the following endpoints 
• /config
  /secrets
  /status
  /user
• If we send a request to /config we will find out the first flag
• 

Flag 1

Hint Given:- If a GET doesn’t do anything, try a different HTTP verb

• If we send a get request to the user endpoint we will see that in the response it says X-Token header authentication missing
• 
• let's try to include an X-Token in our headers and provide any default value and it says Invalid Token
• 
• On Changing the HTTP method to post it says missing username and password which shows that the user is a post endpoint and takes to parameters username and password.
• 
• On sending the request with username and password we get our flag
• 

Flag 2

Hint Given  Maybe you can edit your profile? but what fields can you change?

• IN the previous flag we got an endpoint to log in, send a post request to api/v1/user/login with the username and password and we got a token
• 
• if we logically think here is means that we can edit for a profile which means a put request but what can we update so in the previous flag we got a token we will use that in the x-token header and will send a put request to the user and we got a response now we need to find out the updatable field
• 
• so we will start brute-forcing and we got a different response on avatar it only accepts a URL
• 
• on various tries, I found there is an ssrf so when trying localhost/api/v1/secrets we got a flag
• 
• 

Flag 3

Hint Given Sometimes developers hide extra features into a page… but how can you access it?

• After almost fuzzing everything I didn't find anything so I went back to parameters I found I started fuzzing parameters there and by applying to filter I got an endpoint verbose. 
• ffuf -u http://34.94.3.143/4f6cd6f1ea/api/v1/status?FUZZ=demo -w wordlist.txt -fs 1-20 -s
• on visiting it I got the flag 
• 

Flag 4

Have you read the new version of the API's documentation?

• After a lot of fuzzing and brute-forcing the api/v2 i found the flag which was in the swagger.json file
• 

Flag 5

How can you use the same session across multiple different instances and versions?

• If we send a get request to GET /4466a43d24/api/v2/admin/user-list it gives us the response Your user level needs to be an admin
• 
• then we need admin access to get the list. we will register with user /user?=admin and we will get a token 
• 
• after sending the token with a response we got the flag 
• 

Flag 6

Some features were never quite finished properly in some versions

• returning to api/v1 and fuzzing there we got a flag at post/1 
• 

Flag 7

Take a close look at the returned headers from all of your endpoints, is there anything different about one of them? Maybe there's a second server somewhere? Possibly we can get access to things higher up...

• send get request to api/v1/post-analytics/ and you will get a response but when you do it without the slash api/v1/post-analytics you will get a redirect.
• 
• There you can traverse the directory so to escape the / if we set ..\ we see the public folder and upon ..\private we got the flag.
•