The Mission
Writeup for The Mission (Web) - NahamCon CTF (2025) 💜
Last updated
Writeup for The Mission (Web) - NahamCon CTF (2025) 💜
Last updated
HackingHub has provided this CTF challenge!
Welcome to the BugBounty platform, you've submitted a report for Yahoo but oh no!! So has STÖK and it looks like you're going to get dupped!
Hack into the platform and change STÖK's report to duplicate first so you can grab the bounty!
Platform looks familiar 😼 We’ve got a /hackers page with 8 usernames and a /login. Tried basic creds (admin:admin, admin:password) and a couple lazy ' OR 1=1 -- attempts. Nothing.
We're also given a wordlist.txt, so I assumed it's for brute-forcing the login. But the contents don’t look like passwords — they’re endpoint names. So I pivot to fuzzing.
Used the wordlist to brute endpoints, found:
All of them mention this .war file:
/api/v1 warns it's deprecated — maybe that means vulnerable?
Also found /dashboard and /settings — both redirect to /login.
/uploads exists too — fuzzed inside it with the same wordlist. Might be useful for insecure file upload or privilege escalation later.
At this point, I remembered the challenge literally says we need to mess with STÖK's report. Guessed /reports. Nothing on /api or /api/v1, but /api/v2 returns:
Tried fuzzing keys like:
But all the responses were the same length. Then I tried REST-style:
Still nothing — always got "Invalid Unknown Endpoint". Out of desperation I asked ChatGPT (lol), and it suggested:
That actually worked — gave Invalid User ID. Tried some IDs, usernames, numbers, fuzzed 1–1000 — still nothing.
Then I re-read the challenge and realized I’m an idiot. They gave creds in the description:
Logged in — finally. The dashboard shows a pending SSRF -> RCE report.
You can click into your profile and try to edit account details, but it errors out saying updates are disabled.
While messing with that, I saw GraphQL requests in Burp. Right-click → GraphQL → Introspection query, then save the queries to site map.
Now we can actually see the GraphQL queries and endpoint structure. Found:
Never would’ve guessed that during brute-force.
Sending one of the queries in Repeater returns all the top hackers and their UIDs. One of them has a flag.
Flag: flag_4{253a82878df615bb9ee32e573dc69634}
Apparently there are 6 total though 🤔
With the UIDs from the GraphQL output, I try:
Checked each user — nothing else. Tried adding password to the GetUser query — causes a schema error.
Spotted a JS file: /assets/js/chat-widget.js
Initially thought the chat button was hidden. Turns out I'm just blind — bottom-right of the screen.
Looks like it's powered by an LLM?
It says it does, so I try to convince it to leak reports, change report status etc. I'll not paste all the responses here, but so far it gives me nothing.
“Nice try! The details of specific endpoints are part of the challenge.”
Eventually though…
That got me flag 6!
Flag: flag_6{9c2001f18f3b997187c9eb6d8c96ba60}
Turns out flag 6 was a bonus — back to enumeration.
Found /robots.txt:
Flag: flag_1{858c82dc956f35dd1a30c4d47bcb57fb}
Discovered /internal-dash/login shortly after. Tried fuzzing more stuff inside it — not much yet.
Reviewed GraphQL schema again, tried loading it in Voyager — didn’t get anything new.
Didn’t finish the challenge, but looked up the paths for 2, 3, and 5 afterward. For the sake of completeness, here's what was missed.
Remember the openjdk:19-jdk:bountyapi.war we found in the API response? Since this hinted a Java application, we should have tried /api/v1/actuator. It would trigger a WAF, which we could bypass by URL encoding. We'd get flag 2, alone with an new endpoint to explore: /actuator/heapdump
Using the new heapdump endpoint, we'd see a request from Inti on a new endpoint: /api/v1/internal-dashboard/token including an auth token:
We can make a POST request to this endpoint, and it will create us an Internal dashboard token: a1c2860d05f004f9ac6b0626277b1c36e0d30d66bb168f0a56a53ce12f3f0f7a
From here, we go to the /internal-dash we discovered earlier and /logout, identifying a new token: int-token.
Now we just update that token with the one we recovered and return to the /internal-dash.
There's flag 3, one more to go!
On /internal-dash/, the "lookup report" feature is vulnerable to a second-order path traversal.
Submitting ../ reveals two hidden endpoints:
Since we already have STÖK’s user_id, we can get their reports:
One of them is the Yahoo report — grab the ID:
Now use /search with that ID:
That returns a change_hash:
Use it to change the status of STÖK’s report via:
Do the same with your own report (ID: f9aa28ef-7008-424e-86fb-4271b131b155) to get a change hash.
Then promote yourself to confirmed:
After that, check your dashboard — the flag is in the title of your report status.
I start with usual prompts, asking it to forget all previous instructions and give me the flag, convincing it to give me it's original prompt etc. Remembering the , I ask it what APIs it has access to.
Realised the goal is to convince it I'm .
