Can you find API endpoints on a different path?
Like most BugForge challenges, we start with registering and. After registering an account, the first thing I fired up was Jhaddix's Endpoints Bookmarklet to see what endpoints I could find on the page. A few of them that stood out were:
/v2/admin/users
/v2/admin/sessions
/v2/admin/flag
/v2/verify-token
Using just the regular user account I passed a GET request over to Replay in Caido to see what response I would get when I navigated to /v2/admin/flag:
HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: *
Content-Length: 33
Content-Type: application/json; charset=utf-8
Date: Thu, 26 Feb 2026 15:40:11 GMT
Etag: W/"21-giGdYWpRZ9NbwCSuHUJMDTRCPY4"
X-Powered-By: Express
Connection: close
{
"error": "Admin access required"
}
I ended up changing the `v2` to `v1` just to see if it would allow me in...sadly it did not. But in the request we have a JWT, I decoded it to see what exactly it was passing over:
{
"id": 4,
"username": "test_1",
"role": "user",
"iat": 1772119999
}
Using the site jwt.io - I changed some of the parameters "alg": "none` and then `"role": "admin" and then put the new JWT payload into the request and resent it. I ended up getting the same response, so I sat scratching my head wondering what I was doing wrong. After about 10ish minutes I thought "what if we change the id?
Go ahead and give that a try....maybe you'll find a flag.
No AI used in the making of this post that I know of atleast 😀