After starting the Tanuki challenge, I navigated straight to the lab URL and did what every security tester does first fired up Burp Suite. With interception ready and curiosity fully armed, I registered a fresh user account to see how the application behaves during normal onboarding.

After seeing the hint "SSRF", I immediately slowed down and started observing the page more carefully. Instead of jumping straight into requests, I took a moment to scan all the available features and inputs on the dashboard, looking for anything that might trigger a server-side request behind the scenes.

Next, I switched to the Burp Suite Target tab and started reviewing all the captured requests one by one. That's when something immediately caught my attention 👀. One request was sending a URL directly inside the request body to the server.

Seeing a user-controlled URL being passed like this especially after an SSRF hint was a huge red flag. This instantly felt like the entry point the challenge was quietly waiting for.

I sent the request to Burp Repeater and modified the URL parameter to point to the admin endpoint. Once I forwarded the request, the server happily fetched the internal admin page and just like that, the flag was returned in the response 🎯.

A clean and classic SSRF win