Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objetivo: Discover all API endpoints by extracting and reading the minified React JavaScript bundle served by the application.
Contexto: The app is a React SPA. All client-side API calls are baked into the JavaScript bundle at /static/js/main.*.js. Prettifying and searching the bundle is the fastest way to enumerate every endpoint before touching the app.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
The frontend is a compiled React SPA. Where would all the API endpoint strings live?
Fetch the JS bundle from /static/js/ and run it through a JS beautifier. Search for strings like /api/ to find every backend route.
Grab the bundle with curl or your browser's DevTools, prettify it (e.g. with js-beautify or an online tool), then grep for '/api/' to enumerate routes including deck export and restore endpoints.
¿Te gusta Hintru? Buy me a coffee ☕ ☕