Shady Oaks

With todays hint of tampering I struggled a bit to find the exploit.

I immediately noticed some new functionality that enabled a user to get insights into the market. So once I upgraded a user, I noticed that that user got the role of insider.

My next step was to try assign that role on the creation of a new user, but that did not work. With updating a user, I was also unsuccessful in upgrading a user.

So mass assignment was not the way to go. I went back to the app and tried basically every endpoint, with every possible attack I could think of, but nothing really stuck. So I went back to the new functionality.

Then it hit me, inside the code, there wasn't gonna be a check for the input. So maybe I could become administrator?

And sure enough, that worked! I had to fumble around with admin for a while before I tried administrator but hey, that's hacking!

So after that, the admin panel showed up, but once I clicked on that, I got a error loading the flag. Was this an extra bug I found, was the app broken, or was I just stupid?

Turns out, it was a classic case of PEBCAK (problem exists between chair and keyboard), Of course I had to update my local storage with my new JWT I got when updating my role!

Once I did that, I could navigate to the admin panel.

And in big beautiful font, my flag was there! 🇧🇪