A new app appeared under `apps` called `Swag Shop` with the challenge


I fired up `burp` and clicked `Purchase` to capture that request

Sends it off to an `API`. Let's see if we can enumerate this a bit. First up, `gobuster`.
`gobuster dir -u https://hackyholidays.h1ctf.com/swag-shop/api/ -w medium.txt`
using the `medium` wordlist from `SECLists` we found

Nice, so there's three new endpoints. Let's enumerating that `users` one first.
Arjun, you're up!

`UUID` eh? Well, that's going to be hard to guess. If all else fails we can brute it as a last resort. Let's see what the `sessions` one has for us

What's this?

Base64. Going through each session and we find...

on session 2! That looks like a `UUID` to me! Let's try it out

Got it!
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #api #web #arjun #gobuster
Related: