Yesterday's challenge had an entry that said 'next page=/apps', so we start there The apps page has an app called the 'People Rater' ![a6680fce69f18dcccf4ffd1b21ceb973.png](075ca02133c6491f84ff6eebfce37254.png) Clicking these names pops up a box that says something bad. Let's inspect the button ![ec407a8fbf79d608326b61ac093e8c80.png](f842febf7b14435c9baeab3b9e120301.png) Interesting, looks like base64 ![f71fa5611e3d9af059785547d70de3f5.png](9b0db42a30a3479b9a8e446a3b9cc486.png) And it is. Okay, so we can assume that when we click these buttons that it sends a request to an API that includes this field. Let's fire up burpsuite and and capture that request ![9e79db2a3b9cd58732a3a94a22652ad1.png](3125776d93464405b6f9897da30ce7db.png) Looks like the endpoint is `entry` and it takes the parameter `id`. When we decoded the base64 it said `id=2`, but that was the first name on the list. Where's `id=1`? Let's see what happens when we pass `id=1`. First, base64 encode it ![64288c04ed9dff78cf76fdd56d3393a6.png](062b54c82e154f7eb94a7b2eb4bcb640.png) `eyJpZCI6MX0=` Time to send it. (Right-click the request and `Send to Repeater`) ![50ec364f102ff0e69dd4ad40616508f5.png](ebe71908fddb46419df2e852cc7492dc.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #api #web Related: