Tanuki

Today the hint was web, but pretty quick I realised it was BugForge's first ever SSRF lab.

When opening up the lab, I immediatly saw the new feature 'Leaderboard'. So I was pretty sure that it was there that I needed to look.

In BurpSuite I saw a POST request, with an URL. So now I was certain I had to try SSRF.

First thing I tried was reaching an /admin endpoint.

And so I rather quickly solved that SSRF lab and got my flag 🇧🇪