Academy Web Attacks Skills Assesment

Hi All, could someone please give me a nudge on this please, starting
to not see the wood for the trees. I’ve found the 100 users and also found a user that I think I need to escalate privs to.

I log in as htb-student, then go to the “Change your Password” page where
I get GET request followed by a POST request. I’m pretty sure this is
where some tweakery needs to be done but I just can’t figure it out. I note
that in the POST request there is a token and when I browse to a certain
URL i can get a token for the user I need to change the password for.

Any help much appreciated

As usual, please ignore, now solved this

im stuck at the first painel, after the loggin.
I dont know what to do
really

@onthesauce

your usual here lol

Ok i so i can enumerate, i can change every users password, but can’t seem to figure out who is admin.

Run through Burp Intruder to login and inspect packet/page size to see if that may tell me based on size difference. All looks the same.(mind you enabled intruder to follow redirections, not sure if it has anything to do with that).

I think you mentioned calendar functionality, do i need to log into each of the other 99 fellows manually and inspect?

need a nuge here

gosh, i swear i think finding the answers is me reaching out to @onthesauce . It was staring right at me. what the heck lol

i searched all the data for that elevated keyword, not sure what i was missing it. weird.

As long as it helps you get the flag haha! That one is like finding a needle in a haystack.

Although a trick to finding the admin might be running the burp intruder attack and using the grep-match option to search for ‘admin’ or ‘administrator’. Then it will flag whatever response contains that word. You would be guessing at the username, but it might save some headache.
-onthesauce