Tanuki

Tanuki is usually a XXE lab, but for today only, the hint stated mass assignment.

After registering, I was kinda lost. Mainly because I'm used to the fact that this is the XXE lab, and I could find any point clicking though the frontend that would hint towards a mass assignment vulnerablility. That was until I reviewed all the requests in BurpSuite. In the request where I registered I noticed a role property.

So what I did next was try to register another user, but with the role "admin".

I got back a 200 from that request with the request and the response showing "role":"admin". So I tried logging in as shadow2.

And saw that shadow2 had admin rights and could see the flag 🇧🇪