RTFM Hackerone CTF Writeup 1 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup Published on December 14, 2021 Updated on January 14, 2022 Wordlists will help you find something to do Let's start with basic fuzzing on the /api/v1 endpoint and check what we got gobuster dir -w wordlist.txt -u http://35.227.24.107/89092085dd/api/v1 After the fuzzing was completed we found the following endpoints /config /secrets /status /user If we send a request to /config we will find out the first flag 2/19/23, 16:00 RTFM Hackerone CTF Writeup 2 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup If a GET doesn’t do anything, try a different HTTP verb If we send a get request to the user endpoint we will see that in the response it says X�Token header authentication missing let's try to include an X�Token in our headers and provide any default value and it says Invalid Token On Changing the HTTP method to post it says missing username and password which shows that the user is a post endpoint and takes to parameters username and password. 2/19/23, 16:00 RTFM Hackerone CTF Writeup 3 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup On sending the request with username and password we get our flag Hint Given Maybe you can edit your profile? but what fields can you change? IN the previous flag we got an endpoint to log in, send a post request to api/v1 /user/login with the username and password and we got a token 2/19/23, 16:00 RTFM Hackerone CTF Writeup 4 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup if we logically think here is means that we can edit for a profile which means a put request but what can we update so in the previous flag we got a token we will use that in the x-token header and will send a put request to the user and we got a response now we need to find out the updatable field so we will start brute-forcing and we got a different response on avatar it only accepts a URL on various tries, I found there is an ssrf so when trying localhost/api/v1/secrets we 2/19/23, 16:00 RTFM Hackerone CTF Writeup 5 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup got a flag Sometimes developers hide extra features into a page… but how can you access it? After almost fuzzing everything I didn't find anything so I went back to parameters I found I started fuzzing parameters there and by applying to filter I got an endpoint verbose. ffuf -u http://34.94.3.143/4f6cd6f1ea/api/v1/status?FUZZ=demo -w wordlist.txt -fs 1-20 -s on visiting it I got the flag 2/19/23, 16:00 RTFM Hackerone CTF Writeup 6 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup Have you read the new version of the API's documentation? After a lot of fuzzing and brute-forcing the api/v2 i found the flag which was in the swagger.json file 2/19/23, 16:00 RTFM Hackerone CTF Writeup 7 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup How can you use the same session across multiple different instances and versions? If we send a get request to GET /4466a43d24/api/v2/admin/user-list it gives us the response Your user level needs to be an admin then we need admin access to get the list. we will register with user /user?=admin and we will get a token after sending the token with a response we got the flag 2/19/23, 16:00 RTFM Hackerone CTF Writeup 8 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup Some features were never quite finished properly in some versions returning to api/v1 and fuzzing there we got a flag at post/1 Take a close look at the returned headers from all of your endpoints, is there anything different about one of them? Maybe there's a second server somewhere? Possibly we can get access to things higher up... send get request to api/v1/post-analytics/ and you will get a response but when you do it without the slash api/v1/post-analytics you will get a redirect. 2/19/23, 16:00 RTFM Hackerone CTF Writeup 9 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup Make sure to subscribe to our newsletter and be the first to know the news. Your email address... Subscribe There you can traverse the directory so to escape the / if we set ..\ we see the public folder and upon ..\private we got the flag. RTFM Hackerone CTF Writeup December 14, 2021 #Technology #Hacking RTFM Hackerone CTF Writeup December 14, 2021 RTFM Hackerone CTF Writeup December 14, 2021 2/19/23, 16:00 RTFM Hackerone CTF Writeup 10 of 10 https://www.ehsaanqazi.com/ctf/rtfm-hackerone-ctf-writeup Web Development 2 Hacking 0 CTF 1 Bug Bounty 1 Web Security 5 Writeup 0 2/19/23, 16:00