Siemens Future Minds CTF — MaxPassManager

MaxPassManager was a challenge from Web category. The web app was a password manager.


MaxPassManager’s api endpoint /api/passwords/{uid} was prone to IDOR. The code of the web app was downloadable through the challenge. The migrate script creates the following users with the following UIDs:

After requesting the password for UID 73, it was possible to retrieve admin’s password:

With these credentials it was possible to login and retrieve the flag:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store