ExploitMe

Description

Finally! The dating app specifically designed for people who think "getting a shell" is more exciting than getting a phone number.

Solution

The challenge uses the yup module to validate the input, which is a common practice in web applications. By default, the schema.validate method, will return the validated object with all the properties that were not explicitly defined in the schema. This means that if the input contains additional properties, they will be included in the output.

This behaviour can be used to become admin by sending a request to /api/edit with is_admin: true in the body, since the SQL query is constructed using the validated object.

The /api/chat/{matchId}/report endpoint can be used to report a chat, which will make it visible to admins user. There is a missing check though, which allows any user to report a chat, even if they don't have the privileges to view it in the first place.

Then the /api/chat/{matchId} endpoint can be used to retrieve the chat.