Watermelon CTF from CyberX_Internship.

Team Members

-Ahmed Farag

-Khaled Ahmed

-Noura Ayman

-Yousef Fahmy

-Mohamed Abdelaziz

At first lets understand what’s this challenge, No form or any information in the site just this sentence Welcome to my file sharing API

image.png

so let’s check the page source to see if there any endpoint is stored but we not found anything. so let’s run any automation tool discover the endpoint in this website, i prefer to use dirsearch

image.png

I found 6 endpoint let’s check the first endpoint in the website call /register but it’s not acceptable with GET Method

image.png

change the GET Method to POST method but nothing but wait i noticed in the response it need header call Content-Type and the value is application/json

image.png

remove anything in the request except method,Host,content-type and send the request again.

2024-10-09 16_48_21-Burp Suite Professional v2024.3.1.2 - Temporary Project - Licensed to Zer0DayLab.png

but what it’s a bad request and the server couldn’t understand the request ..it’s a something strange try to see the website from Render in burp but nothing after some overthinking the register function need username or email and password to allow register in any site if we think one minute the content type is json then login query in request must be json

2024-10-09 16_57_57-Burp Suite Professional v2024.3.1.2 - Temporary Project - Licensed to Zer0DayLab.png