Sokudo

Today our favorite typing application went back online. Today's hint is BAC.

After creating two accounts, clicking and typing away. I could not find anything that worked in BurpSuite. I spend a good amount of time trying different things to see other user's data, trying to change it, but everything was secure. That was until I opened up my localStorage to see what the application had hidden there.

The token looked a lot like a timestamp! When I was checking stuff in BurpSuite, I saw that /api/stats/leaderboard was a bit chatty and showed the last login from every user. So I looked at the last login from the admin account.

I took that data and made my own token out of it by deleting all characters and whitespaces. This resulted in 20251205075404 . I took that token, stored it in my own localStorage and refreshed the page.

And just like that I had access to the admin panel and found my flag 🇧🇪