Want to run this Docker container locally?

docker run -d -p 3010:3000 --restart always --name ctf-minecraft joshbeck2024/ctf-api-fuzzing

We’ll want to intercept this request in Burp Suite after ‘burning’ one coin.

• Need a Burp Suite Refresher: Click Here
• Right Click and Copy the request seen below to file.

I’ll call it myrequest.req

Open up myrequest.req and edit it as seen below:

• Include the full URL on the first line
  • This is the most often overlooked detail!!!
• Fuzz the action parameter using the raft-small-words.txt wordlist.

—Fuzzing finds verify

In the Burp repeater change change burn to verify and give it a high amount.

Then make a GET request to api/balance to see the flag