Hello hackers! Welcome back to pentestguy with another tutorial on API pentesting. Today, we will be exploring the Bookstore CTF from TryHackMe and focusing on API fuzzing and exploitation techniques. Please note that this tutorial will not provide a complete walkthrough of the CTF but will concentrate specifically on API-related aspects.
You can find the Bookstore CTF here – https://tryhackme.com/room/bookstoreoc
Port Scanning with Nmap
To begin, as with any CTF, the first step is to perform port scanning. We can use tools like Nmap for this purpose. In the case of the Bookstore CTF, Nmap reveals that two ports are running HTTP services: port 80 and port 5000.
Crossed check the robots.txt and check for more information.
After identifying the open ports, we can verify that an API service is indeed running on port 5000. By visiting the “/api” URI, we can access the API documentation, which will provide valuable information about the available endpoints, parameters, and expected responses.
At this stage, it’s common to attempt various attacks such as SQL injection, XSS, and SSTI. However, if these attacks prove unsuccessful, it’s essential to explore further. In the case of the Bookstore CTF, we discover that there is a “v1” version of the API as well. Attempting the same attacks on the “v1” endpoint might yield different results.
Fuzzing with Arjun
To expand our attack surface, we can utilize tools like Arjun to find additional parameters. During this process, we come across a parameter called “show” that appears to be interesting.
To systematically test this parameter, we can employ fuzzing tools such as Fuzz or Wfuzz with an appropriate dictionary. By sending requests to the URL with different values for the “show” parameter, we discover something intriguing: an error message stating “filename is not defined.”
Exploiting this error, we can attempt Local File Inclusion (LFI) attacks. For example, providing a value like “.bashrc” as the “show” parameter allows us to successfully perform LFI and retrieve the contents of the “.bashrc” file.
This concludes our tutorial on API penetration testing. I hope you have gained some valuable insights and ideas from this post. If you have any queries or suggestions, please feel free to leave a comment below. Now you can also collab with us please check our collaboration page, Thank you for reading!