Yesterday's challenge had an entry that said 'next page=/apps', so we start there
The apps page has an app called the 'People Rater'
![a6680fce69f18dcccf4ffd1b21ceb973.png](075ca02133c6491f84ff6eebfce37254.png)
Clicking these names pops up a box that says something bad. Let's inspect the button
![ec407a8fbf79d608326b61ac093e8c80.png](f842febf7b14435c9baeab3b9e120301.png)
Interesting, looks like base64
![f71fa5611e3d9af059785547d70de3f5.png](9b0db42a30a3479b9a8e446a3b9cc486.png)
And it is. Okay, so we can assume that when we click these buttons that it sends a request to an API that includes this field. Let's fire up burpsuite and and capture that request
![9e79db2a3b9cd58732a3a94a22652ad1.png](3125776d93464405b6f9897da30ce7db.png)
Looks like the endpoint is `entry` and it takes the parameter `id`. When we decoded the base64 it said `id=2`, but that was the first name on the list. Where's `id=1`?
Let's see what happens when we pass `id=1`. First, base64 encode it
![64288c04ed9dff78cf76fdd56d3393a6.png](062b54c82e154f7eb94a7b2eb4bcb640.png)
`eyJpZCI6MX0=`
Time to send it. (Right-click the request and `Send to Repeater`)
![50ec364f102ff0e69dd4ad40616508f5.png](ebe71908fddb46419df2e852cc7492dc.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #api #web
Related: