Breachforge Lab 04

MicroHub

A tiny internal platform split into three API surfaces — user, files, and billing — all sharing one Mongo instance.

Node.js · Express · MongoDB Difficulty · Master 5 Chained Bugs

API Surface

POST /api/user/login            { username, password }        # JSON
POST /api/user/logout
GET  /api/user/me

POST /api/files/preview         { url }                       # fetches URL server-side
POST /api/files/upload          multipart, field: "archive"   # zip, admin+ only
POST /api/files/convert         { filename, size }            # ImageMagick thumbnail (bonus)

GET  /api/billing/mine                                        # your own invoices
GET  /api/billing/invoice/:id                                 # billing-admin only
GET  /api/billing/summary                                     # billing-admin only

Operational Notes

Registration is closed. Accounts are provisioned out-of-band.
Operator credentials for maintenance tasks are published on an internal metadata service — ask SRE.
Billing-admin role is issued via signed infra overrides; do not edit the overrides file by hand.

Flag Capture

Your goal is to read the treasury user's premium invoice. The memo field of that invoice contains the flag in the format BF{...} — copy it verbatim and paste it into the submission box on the Labs page to mark Lab 04 as captured.

Returning to the hub: Breachforge hub