This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete the user carlos.
I initially navigated directly to the '/register' page to observe how it processes my input. Notably, there's a note specifying that individuals affiliated with DontWannaCry should utilize their '@dontwannacry.com' email addresses. I've decided to set this information aside for potential future use.
I'll be running some enumeration in the background to ensure comprehensive coverage. If I encounter any obstacles, I can then explore alternative approaches.
Upon initiation, I promptly identified an 'admin' directory. Without hesitation, I decided to explore its contents:
I took note that to access the admin interface, logging in as a DontWannaCry user is required.
In an attempt to exploit potential vulnerabilities, I experimented with user registration. One intriguing behavior emerged when I provided an excessively long string at the email parameter, surpassing the typical 255-character limit. After confirming the registration in the email client 'attacker@exploit-0a3a003a03e2326781611a1e013900d4.exploit-server.net' and logging in with the new user, I observed that the email had been truncated to precisely 255 characters.
Recalling the necessity to log in as a DontWannaCry user with the domain '@dontwannacry.com,' I conceived an idea: crafting an email string in a manner that, even after truncation, it would retain '@dontwannacry.com' as the domain.
After confirming the registration through the email client, I successfully logged in and gained access to the admin panel. Subsequently, I proceeded to delete the 'carlos' user, successfully resolving the lab.
Here I wrote a simple python script to register with the crafted email:
