MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

SuperFastAPI

by sealldev
๐Ÿšฉ CTFs KashiCTF 2025 web
SuperFastAPI / KashiCTF 2025
SuperFastAPI

Description

Made my verty first API! However I have to still integrate it with a frontend so can't do much at this point lol.

Original Writeup on seall.dev

I start by using ffuf and find the /docs endpoint using a directory 2.3 medium list from SecLists.

After locating the /docs endpoint I see we can:

  • Create a user
  • Update a user
  • Request the flag
  • Get a user

If we create a user, trying to request the flag says our role is not an admin (which it isnโ€™t)

What we can do is update our user with the โ€˜roleโ€™ parameter and update our own role.

superfast1.png

superfast2.png

superfast3.png

Flag: KashiCTF{m455_4551gnm3n7_ftw_XD1FPHGGm}

Related Writeups

l33t-benign

Now that you've figured out who was behind this operation, can you figure out who else was affected?

4spam

In the wake of last week's events, we've created a replacement (https://4spam.umbccd.net/). An old dump of some of the ...

Caddyshack

locate and connect to the server running on caddyshack.umbccd.net

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub