Off Balance | CyberStart Completion

Off Balance


We’re hot on the heels of catching this cyber gang but the closer we get, the more damage they try to inflict onto the Barcelona tourism industry!

This time, they’ve hacked into a large international bank’s mobile application. Customers of the bank are complaining they can’t see their current balance and these criminal masterminds need to be held to account. Intern, help customers retrieve their balances, so they can continue to spend their money during their well-earned holidays!

Helping our international friends will really help develop our network.


If you check out the Network tab in the developer tools of your browser while you click on different pages in the app, you can see there are requests being made to an API. Try using a Linux command line tool like curl to talk to the API directly to see if you can get at the account balance that way.

How to Solve:

  1. Open the Console.
  2. Navigate to the Network tab.
  3. Click on Transactions in the phone menu.
  4. Right-click on get-transactions > Copy > Copy as fetch
  5. In the console, paste the fetch (including all options) and change the URL from to and click enter.
    fetch("", {
     "headers": {
         "accept": "*/*",
         "accept-language": "en-US,en;q=0.9",
         "content-type": "application/x-www-form-urlencoded",
         "sec-ch-ua": "\"Chromium\";v=\"106\", \"Microsoft Edge\";v=\"106\", \"Not;A=Brand\";v=\"99\"",
         "sec-ch-ua-mobile": "?0",
         "sec-ch-ua-platform": "\"Windows\"",
         "sec-fetch-dest": "empty",
         "sec-fetch-mode": "cors",
         "sec-fetch-site": "cross-site"
     "referrer": "",
     "referrerPolicy": "strict-origin-when-cross-origin",
     "body": "token=CNcsmXX5d50ZQCG5Us4twDi18awV",
     "method": "POST",
     "mode": "cors",
     "credentials": "omit"
  6. Under Name (the list of all network requests), click on and go to Response.
     "data": {
         "endpoint": {
             "ref": "index",
             "protocol": "https://",
             "domain": "",
             "path": "/"
         "user": {
             "id": "xgHof4h98"
     "links": {
         "get-accounts": "",
         "get-payments": "",
         "get-transactions": ""
  7. Observe the links as there is no get-balances rather there is get-accounts.
  8. Go back to the console and make another fetch to with the same headers.
  9. Navigate to the Response tab once again and find flag, your flag should be there.


  • postD4ta_w1zard