Sokudo

Today's lab comes with the hint Can you find API endpoints on a different path?

After firing up Burp, and clicking around a bit in the application, I noticed that all the endpoints where prefixed with /v2 , so that could possibly mean that there is a /v1 right?

I tried on a random endpoint to change the prefix from /v2 to /v1

And I got the same result, so now it was time to list out all the endpoints and try different things. Some of the things I tried were

• /v2/login

  • /v1/login

    • can log in as a valid user

    • not vulnerable for SQLi on login

• /v2/stats

  • /v1/stats

    • Returns same data

    • Cannot PUT

    • Cannot POST

• /v2/register

  • /v1/register

    • Can register new users

      • Not vulnerable for mass assignment

I went over all the endpoints I could find like this, but I couldn't find anything unusual.

Then I ran getEndpoints script from Jason Haddix, https://gist.github.com/jhaddix/daba27d11fdd97d9077d610dccbe91df and found some new endpoints.

And I do love some new endpoints tagged with admin . Now I assumed the v2 wouldn't be vulnerable so I went straight for v1/admin/flag

Unfortunately, I still needed admin access. But maybe on this endpoint, the signature wasn't checked properly, so I changed my role.

But I still needed admin rights. But this is strange behavior. It should have said INVALID TOKEN or something like that, because I did tamper with it. So what would happen if I pretended I had another id?

I assumed once again that the big boss would have id 1, and the check apparently only happens on the id, so I found the flag 🇧🇪