π info:
This lab has user account page that contains the current user's existing password, prefilled in a masked input.
π― Goal:
To solve the lab, retrieve the administrator's password, then use it to delete the userΒ carlos.
You can log in to your own account using the following credentials:Β wiener:peter
- Log in with the credentials:
wiener:peter. π
- Start your proxy/interceptor (Burp, OWASP ZAP, or similar) and enable interception. π΅οΈββοΈ
- Open the account page for your user so the request/response is captured. π
- Inspect the response for the account page β the existing password will be present (masked in the UI but visible in the response). π
- Send the request to Repeater (or manually edit the intercepted request). βοΈ
- change the
id parameter from your username to administrator (for example id=wiener β id=administrator). π
- Forward the edited request or follow the redirect to view the response. β‘οΈπ
- Inspect the response body to find the administratorβs password.
- Log out of the web app and log in as
administrator using the recovered password. π
- Go to the admin panel and delete the user
carlos. ποΈ
- Submit the lab as solved once
carlos is deleted. π
