A new app appeared under `apps` called `Swag Shop` with the challenge
![3fda0ca46da9016d783d3ba28c6b7f2c.png](a8e0b6603f484bb78785a993113d92fe.png)
![dda2e22635137c2a2aeb9a479fcab201.png](2a25b1bd83304bf69c67046edeed4ba8.png)
I fired up `burp` and clicked `Purchase` to capture that request
![5c2de6afed390778026e33c7d92a18a0.png](489e714741ae4ebf892fb21b79e42f9f.png)
Sends it off to an `API`. Let's see if we can enumerate this a bit. First up, `gobuster`.
`gobuster dir -u https://hackyholidays.h1ctf.com/swag-shop/api/ -w medium.txt`
using the `medium` wordlist from `SECLists` we found
![ec1e5aac1535f3b4ca5b2df4786bc214.png](20191374502240b0aff4b029a57aa6dc.png)
Nice, so there's three new endpoints. Let's enumerating that `users` one first.
Arjun, you're up!
![4c5024a8b58cc52cc08c7ed0440e9e1d.png](cd4e1641048b4379854708b03f51137d.png)
`UUID` eh? Well, that's going to be hard to guess. If all else fails we can brute it as a last resort. Let's see what the `sessions` one has for us
![a2fec83b04597a2706f2727ff269e2ae.png](14b14c1e493e4351a8cd127a88028e40.png)
What's this?
![6437e7f957a7d057b95837ea5991f51e.png](e216a14ff5ac4dc1917415dd5092e4bb.png)
Base64. Going through each session and we find...
![3094a95421349c74661c4247f27106ff.png](5f4b172ccc9a447392c5286e65aad4d2.png)
on session 2! That looks like a `UUID` to me! Let's try it out
![5d2976a30912c6b0a3edeae6208908b7.png](6d774512d47341b1b4cf0293c6268a88.png)
Got it!
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #api #web #arjun #gobuster
Related: