API 14

This exercise covers how to exploit a leaked encrypted password with an API.

< 1 Hr.
API Badge


In this challenge, your goal is to log in as the user admin@libcurl.so by exploiting leaked API call information. There are two methods to solve this challenge: reverse the application to determine how the password is encrypted and then decrypt it, or find a more straightforward approach to leverage the leaked encrypted password.

The video tutorial demonstrates how even without knowing the actual password, you can use a proxy tool like Burp Suite to replay the encrypted password value. This is possible because the application encrypts the password before sending it to the backend, allowing the reuse of the encrypted value for login. This challenge underscores the importance of understanding how encrypted values can be exploited in API calls.

Want to learn more? Get started with PentesterLab Pro! GO PRO