Ottergram

Another day, another chance to see some otters! Today our hint was BAC.

Today I kinda fumbled around in search of an endpoint I could use. I tested every endpoint I could get my hands on with the two accounts I created. Then it hit me that sometimes we're granted access to admin rights using admin:admin123. When I was able to navigate around in the admin panel, I found the endpoint /admin/delete/:id . This endpoint was not tested so I tried to perform the administrative function with a JWT of a normal user.

When the action was 'approved' by the backend, I got my flag back 🇧🇪

This could also have been solved by fuzzing the application. I did not think of that until after I found the flag.