Hi All, could someone please give me a nudge on this please, starting
to not see the wood for the trees. I’ve found the 100 users and also found a user that I think I need to escalate privs to.
I log in as htb-student, then go to the “Change your Password” page where
I get GET request followed by a POST request. I’m pretty sure this is
where some tweakery needs to be done but I just can’t figure it out. I note
that in the POST request there is a token and when I browse to a certain
URL i can get a token for the user I need to change the password for.
Ok i so i can enumerate, i can change every users password, but can’t seem to figure out who is admin.
Run through Burp Intruder to login and inspect packet/page size to see if that may tell me based on size difference. All looks the same.(mind you enabled intruder to follow redirections, not sure if it has anything to do with that).
I think you mentioned calendar functionality, do i need to log into each of the other 99 fellows manually and inspect?
As long as it helps you get the flag haha! That one is like finding a needle in a haystack.
Although a trick to finding the admin might be running the burp intruder attack and using the grep-match option to search for ‘admin’ or ‘administrator’. Then it will flag whatever response contains that word. You would be guessing at the username, but it might save some headache.
-onthesauce
Could someone help me? I’ve already get the IDOR, i changed the request to put, head and patch to reset.php and to api.php/user/**, sending it in the default format and in json and i get a “0” or a “1” in the answer, respectively, as well as “acess denied” and “missing parameters”. I would assume that the answer “1” would made the necessary changes to the admin user password, but no, the “1” is just the api answer. Any hint would be much appreciated. Thanks in advance
“Can anybody please help me? I am attempting a POST request with <!ENTITY name SYSTEM "php://filter/convert.base64-encode/resource=flag.php"> as an admin, but I cannot retrieve the flag. I’ve also tried using GET requests and other entities like details and date , but I still haven’t been successful.”
1 - Find the api and you are gonna make something when you found it , dont forget to use HTTP Verb Tampering.
2 - Then log in by using that account you’ve changed the password.
3 - XXE and found the flag!!
after you use the massive IDOR enum(getting all the json data). check the company tag resembling to an admin. Straight up gives you it is an admin account
When I list all the users in the company in burpsuite I get nothing, but if I do it by changing the uid in the browser (the cookie) yes, why could it be?