Target: https://santacloud.intigriti.io/home
Vulnerability: Insecure Direct Object Reference (IDOR)
Flag: INTIGRITI{019b118e-e563-7348-a377-c1e5f944bb46}
Found exposed backup file β Leaked credentials β Authenticated access β IDOR on notes API β Admin's private note contained the flag.
Starting with the basics, I checked for robots.txt:
<https://santacloud.intigriti.io/robots.txt>
The file revealed an interesting disallow entry pointing to backup files. Following common backup naming conventions, I tried:
<https://santacloud.intigriti.io/composer.json~>
Bingo! The backup file was publicly accessible.
Notes: Itβs a part of flag which is
INTIGRITI{019b118e-e563-734in thesecretvalue. However, itβs not completed flag which should be ended with}char.
Inside composer.json~, I found hardcoded credentials (a classic developer mistake):
{
"admin-access": {
"username": "elf_supervisor",
"password": "CookiesAndMilk1337",
}
}
π© Security Lesson #1: Never commit credentials to version control or leave backup files exposed.