Author: Derin Ozturk
Role: CTF Developer | 2nd Year Cyber Security Student, Sheridan College
Category: Web Exploitation
The E-Bazaar was a spotlight challenge for the 2026 ISSessions FantasyCTF. Despite being my favorite challange out of all the challanges I've made, it remained unsolved by the end of the event. This write-up explores the three distinct web vulnerabilities required to "piece together" the 3-part flag.
Looking at the index page, the goal is to purchase items that seem unobtainable due to high prices or broken logic.
The primary targets are the Iced out magic wand and the Elixir vitae.
First, we check for hidden routes like /admin. While it exists, it is initially inaccessible.
By inspecting the index page source code, we find a hidden item with item_id: 6.
The Exploit: Using Burp Suite, we intercept the request responsible for adding an item to the cart.
We manually modify the item_id to 6 and set the item_amount to 1.
Result: The "Elixir of Invisibility" is successfully added. Checking out provides Part 1 of the Flag.
The Iced Out Magic Wand is too expensive. We can manipulate our balance by exploiting a lack of server-side validation on the item_amount.
The Exploit: By sending a negative value for the amount, the total cost becomes negative, allowing us to gain money instead of losing it.
Attempting to checkout normally results in an error.
Intercepting the checkout request reveals parameters encoded in Ascii Hex and Base64: cart_empty and force_checkout.
We modify force_checkout to True (Base64: VHJ1ZQ==) and cart_empty to False (Base64: RmFsc2U=) to bypass the validation.
Result: The error is bypassed.
Our balance is now sufficient to purchase the "Iced Out Magic Wand".
Purchasing the wand grants Part 2 of the Flag.
The final item, Elixir Vitae, has a price of None, breaking the cart system.
The Exploit:
We can now visit the /admin route since we found the first 2 pieces.
Visiting the /admin route assigns an auth cookie.
The value of the cookie is eyJ1c2VyIjogIk5vbmUiLCAibG9nZ2VkSW4iOiBmYWxzZX0=. When decoded from Base64, it reveals a standard JSON object: {"user": "None", "loggedIn": false}.
To exploit this insecure session management, we first need to identify a valid username. Attempting to log in with random credentials returns a generic error message:
However, when we try the username admin, the error message changes, confirming that the user admin exists but the password was incorrect. This is a classic "User Enumeration" vulnerability.
With the confirmed username, we can bypass the login logic entirely by spoofing the cookie.
We craft the new cookie: {"user": "admin", "loggedIn": true} (Base64: eyJ1c2VyIjogImFkbWluIiwgImxvZ2dlZEluIjogdHJ1ZX0=).
By refreshing the main page with our new credentials injected, we bypassed the login gate and gained full access to an administrative dashboard.
We change the price of the Elixir Vitae to a valid number.
Finally, we remove the admin cookie to return to the standard index page.
Final Step: We add the Elixir to the cart and purchase it.
Result: The final part of the flag is revealed, completing the challenge.
- Input Validation: Never trust quantity or ID values sent from the client.
- Secure Sessions: Cookies should be signed or encrypted to prevent privilege escalation.
- Business Logic: Ensure checkout functions validate price states and enforce positive integers for quantities.
Thanks for reading my write-up and I really hope you enjoyed!