Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objective: Discover all API endpoints by extracting and reading the minified React JavaScript bundle served by the application.
Context: The app is a React SPA. All client-side API calls are baked into the JavaScript bundle at /static/js/main.*.js. Prettifying and searching the bundle is the fastest way to enumerate every endpoint before touching the app.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
The frontend is a compiled React SPA. Where would all the API endpoint strings live?
Fetch the JS bundle from /static/js/ and run it through a JS beautifier. Search for strings like /api/ to find every backend route.
Grab the bundle with curl or your browser's DevTools, prettify it (e.g. with js-beautify or an online tool), then grep for '/api/' to enumerate routes including deck export and restore endpoints.
Enjoying Hintru? Buy me a coffee ☕ ☕