Hi All, could someone please give me a nudge on this please, starting
to not see the wood for the trees. I’ve found the 100 users and also found a user that I think I need to escalate privs to.
I log in as htb-student, then go to the “Change your Password” page where
I get GET request followed by a POST request. I’m pretty sure this is
where some tweakery needs to be done but I just can’t figure it out. I note
that in the POST request there is a token and when I browse to a certain
URL i can get a token for the user I need to change the password for.
Ok i so i can enumerate, i can change every users password, but can’t seem to figure out who is admin.
Run through Burp Intruder to login and inspect packet/page size to see if that may tell me based on size difference. All looks the same.(mind you enabled intruder to follow redirections, not sure if it has anything to do with that).
I think you mentioned calendar functionality, do i need to log into each of the other 99 fellows manually and inspect?
As long as it helps you get the flag haha! That one is like finding a needle in a haystack.
Although a trick to finding the admin might be running the burp intruder attack and using the grep-match option to search for ‘admin’ or ‘administrator’. Then it will flag whatever response contains that word. You would be guessing at the username, but it might save some headache.
-onthesauce
Could someone help me? I’ve already get the IDOR, i changed the request to put, head and patch to reset.php and to api.php/user/**, sending it in the default format and in json and i get a “0” or a “1” in the answer, respectively, as well as “acess denied” and “missing parameters”. I would assume that the answer “1” would made the necessary changes to the admin user password, but no, the “1” is just the api answer. Any hint would be much appreciated. Thanks in advance