Skip to content

b4sh0xf offsec notes

writeup shady oaks financial

b4sh0xf offsec notes

🏠 home
👤 about me
👩‍💻 programming notes
👩‍💻 programming notes
- php
- javascript
- java
- kotlin
- c/c++
- asp.net
🐱‍👤 pentesting notes
🐱‍👤 pentesting notes
- web exploitation
  web exploitation
  - xss
  - sqli
  - ssti
    ssti
    
    jinja2
    
    spring
    
    erb
    
    pug.js
    
    ejs
    
    twig
  - lfi/rfi
  - insecure deserialization
    insecure deserialization
    
    php
    
    python
    
    java
    
    asp.net
    
    phar deserialization
  - http request smuggling
  - prototype pollution
  - type confusion
  - race condition
  - business logic
  - waf bypass
  - web cache poisoning (PT-BR)
  - off-by-slash
  - zip-slip
- api exploitation
  api exploitation
  - bola
  - bopla
  - bfla
  - sspp
  - json injection
  - improper inventory management
  - ssrf
  - jwt hacking
- mobile exploitation
  mobile exploitation
  - android
    android
    
    os fundamentals
    
    apps fundamentals
    
    bypassing
    bypassing
    
    root detection
    
    frida detection
    
    ssl pinning
    
    anti-emulator
    
    common vulnerabilities
    common vulnerabilities
    
    insecure data storage
    
    deeplinks
    
    webviews
    
    ipc
- cloud exploitation
  cloud exploitation
  - about cloud computing
  - aws
    aws
    
    introduction
    
    interacting with api-cli
    
    lambda functions and api gw
    
    rds
    
    ssrf2aws
  - docker
    docker
    
    about docker
    
    interacting with docker cli and api
    
    docker compose
  - kubernetes
    kubernetes
    
    about kubernetes
- active directory exploitation
  active directory exploitation
  - introduction to AD
  - kerberos
  - adcs
  - ldap
🕵️‍♂️ appsec notes
🕵️‍♂️ appsec notes
✍ writeups
✍ writeups
- hacking club
  hacking club
  - writeup velorum
  - writeup console
  - writeups carnavown
    writeups carnavown
    
    Imetrics
    
    Iapi
- hack the box
  hack the box
  - celestial scribe
- vulnlab
  vulnlab
  - writeup shibuya
- bug forge
  bug forge
  - writeup copypasta
  - writeup sokudo
  - writeup furhire
  - writeup shady oaks financial writeup shady oaks financial
    Table of contents
    
    0x00: recon
    
    0x01: show me the flag!
  - writeup galxy dash
  - writeup mesanet portal
🧩 tips n tricks
🧩 tips n tricks
- bypassing client side encryption (PT-BR)
- privesc
  privesc
  - linux
  - windows
- docker escape
- kiosk escape
- php sandbox escape
- python sandbox escape
- cheatsheets
  cheatsheets
- pentesting wordpress
- pentesting laravel
- reverse engineering
- format strings
- buffer overflow
- ret2libc
- rop

writeup shady oaks financial

daily challenge: 16/01/26
    🟢 difficulty: easy
⚡ xp earned: 10
📂 categories: api
        
🛠️ vulns: broken function level authorization (bfla)
    

0x00: recon

we can start registering our user to this trading webapp

our account starts with 1k euros (i wish that isn't a ctf.) and we can buy/sell digital stocks, exchange money between currencies and all our actions are registered.

0x01: show me the flag!

after testing some business logic vulns, we can perform a code review in the .js files

when we try to access these admin routes, for my surprise, all of them works! this is an broken function level authorization, when a common user can perform high-privillege actions in the application. in this case, a common trader can see all the trades ever made.

continuing our code review, we can see there exists an /api/admin/flag endpoint and by the logic (the vuln, lol), we can take the flag.

🌐 all content is authoral. keep hacking ;)