MaxPassManager was a challenge from Web category. The web app was a password manager.
Vulnerability
MaxPassManager’s api endpoint /api/passwords/{uid} was prone to IDOR. The code of the web app was downloadable through the challenge. The migrate script creates the following users with the following UIDs:

After requesting the password for UID 73, it was possible to retrieve admin’s password: