A new app appeared under `apps` called `Swag Shop` with the challenge ![3fda0ca46da9016d783d3ba28c6b7f2c.png](a8e0b6603f484bb78785a993113d92fe.png) ![dda2e22635137c2a2aeb9a479fcab201.png](2a25b1bd83304bf69c67046edeed4ba8.png) I fired up `burp` and clicked `Purchase` to capture that request ![5c2de6afed390778026e33c7d92a18a0.png](489e714741ae4ebf892fb21b79e42f9f.png) Sends it off to an `API`. Let's see if we can enumerate this a bit. First up, `gobuster`. `gobuster dir -u https://hackyholidays.h1ctf.com/swag-shop/api/ -w medium.txt` using the `medium` wordlist from `SECLists` we found ![ec1e5aac1535f3b4ca5b2df4786bc214.png](20191374502240b0aff4b029a57aa6dc.png) Nice, so there's three new endpoints. Let's enumerating that `users` one first. Arjun, you're up! ![4c5024a8b58cc52cc08c7ed0440e9e1d.png](cd4e1641048b4379854708b03f51137d.png) `UUID` eh? Well, that's going to be hard to guess. If all else fails we can brute it as a last resort. Let's see what the `sessions` one has for us ![a2fec83b04597a2706f2727ff269e2ae.png](14b14c1e493e4351a8cd127a88028e40.png) What's this? ![6437e7f957a7d057b95837ea5991f51e.png](e216a14ff5ac4dc1917415dd5092e4bb.png) Base64. Going through each session and we find... ![3094a95421349c74661c4247f27106ff.png](5f4b172ccc9a447392c5286e65aad4d2.png) on session 2! That looks like a `UUID` to me! Let's try it out ![5d2976a30912c6b0a3edeae6208908b7.png](6d774512d47341b1b4cf0293c6268a88.png) Got it! --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #api #web #arjun #gobuster Related: