Select your country

Not finding what you are looking for, select your country from our regional selector:

Search

Apiculture 1 write-up

Apiculture challenges

Author: Frédéric Bourla

The Apiculture challenges are dedicated to API attacks. It is basically a honey’s addict website:

Solve the first challenge

To solve the first challenge, we should pay attention to the call to the /api/products/ API:

This endpoint provides information to the Angular front-end so that the page can be rendered in the browser… But it is impacted by an Improper Data Filtering vulnerability, since it reveals data [i.e. the vendorID field] that is not used in the webpage. We can indeed discover that all products have been published by the same vendor, whose ID is 57336:

We should then try to discover other endpoints. Fortunately for us, the developer kept a detailed description of his APIs at /api/swagger.json:

The /api/flags/ endpoint sounds particularly interesting. But it is protected by a Basic Auth:

Let’s have a look to the /api/vendors/ endpoint. It reveals interesting information when we provide the vendorID that leaked through the initial Improper Data Filtering vulnerability:

So, we know that the vendor is a simple user and we have his password hash. This SHA1 hash can cracked quickly or simply googled to get the weak password of this vendor: