This one is fun.

• First we need to look over the source code to discover this:

We can go to:

<http://sem2ctf.icsi.cyber:9000/api/v1/status>

Copy the token above to a notepad or something. (It’s a JWT Token. The format is distinctive!)

Since we have discovered an API endpoint, it --totally-- makes sense to use an API wordlist to fuzz for other endpoints that we don’t know about yet.

• Download the wordlist below using a tool like wget or curl
  • I used this list

Fuzz for other API endpoints using ffuf

ffuf -u <http://sem2ctf.icsi.cyber:9000/api/v1/FUZZ> -w words.txt

Now that we’ve discovered http://sem2ctf.icsi.cuyber:9000/api/v1/users We’ll want to intercept a request in Burp Suite

**<http://sem2ctf.icsi.cyber:9000/api/v1/users**>

Utilizing Authorization: Bearer <TOKEN>

• Authorization: Bearer <token> is standard because it is formally specified and widely supported.
• If you have access to a token, one way to submit it is shown below.

Insert this standard Authorization: Bearer <token> header with the TOKEN copied from the api/v1/users endpoint