A "Black Box" IDOR (Insecure Direct Object Reference) challenge designed to test traffic analysis and fuzzing skills.
You have gained access to the Voyager-X data terminal. However, the front-end interface is hardcoded to only display public system logs.
Classified information is stored somewhere within the satellite's object data store. Your mission is to find the flag: LNM{H3110 ;)}.
- Node.js (to run the challenge)
- Caido (or Burp Suite) for intercepting and manipulating traffic.
- Launch the server (
node server.js). - Intercept the background API requests using Caido.
- Identify the vulnerable parameter.
- Exploit the IDOR vulnerability to retrieve the classified flag.
- The UI is just a distraction; the truth is in the traffic.