MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

SuperFastAPI

by sealldev
🚩 CTFs KashiCTF 2025 web
SuperFastAPI / KashiCTF 2025
SuperFastAPI

Description

Made my verty first API! However I have to still integrate it with a frontend so can't do much at this point lol.

Original Writeup on seall.dev

I start by using ffuf and find the /docs endpoint using a directory 2.3 medium list from SecLists.

After locating the /docs endpoint I see we can:

  • Create a user
  • Update a user
  • Request the flag
  • Get a user

If we create a user, trying to request the flag says our role is not an admin (which it isn’t)

What we can do is update our user with the ‘role’ parameter and update our own role.

superfast1.png

superfast2.png

superfast3.png

Flag: KashiCTF{m455_4551gnm3n7_ftw_XD1FPHGGm}

Related Writeups

Insp3ct0r

Kishor Balan tipped us off that the following code may need inspection: https://jupiter.challenges.picoctf.org/problem/4 ...

#easy

caas

Now presenting cowsay as a service https://caas.mars.picoctf.net/

#medium

Cookies

Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:17781/

#easy

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub