Descripción
This lab’s email change feature contains a race condition that enables you to associate an arbitrary email address with your account.
Someone with the address carlos@ginandjuice.shop has a pending invite to be an administrator for the site, but they have not yet created an account. Therefore, any user who successfully claims this address will automatically inherit admin privileges.
To solve the lab:
- Identify a race condition that lets you claim an arbitrary email address.
- Change your email address to
carlos@ginandjuice.shop. - Access the admin panel.
- Delete the user
carlos
You can log in to your own account with the following credentials: wiener:peter.
You also have access to an email client, where you can view all emails sent to @exploit-<YOUR-EXPLOIT-SERVER-ID>.exploit-server.net addresses.
Single-endpoint race conditions writeup
Accedemos al laboratorio, vamos a ‘My account’ e iniciamos sesión con el usuario ‘wiener’ y la contraseña ‘peter’. Encendemos el ‘Logger’ de Burp Suite y capturamos una petición de cambio de correo:
Enviamos esta petición al ‘Repeater’ con Ctrl + R o Click derecho -> Send to Repeater. Allí la duplicamos con Ctrl + R de nuevo y creamos un grupo con ambas peticiones. En la segunda pondremos el correo de la víctima ‘carlos@ginandjuice.shop’ como valor del parámetro ‘email’. Enviaremos ambas peticiones en paralelo, volveremos al navegador en ‘Email client’ y veremos que se nos ha enviado al correo el enlace para recuperar el correo de la víctima en vez del nuestro:
Confirmamos, vovlemos a ‘/my-account’, entramos en ‘Admin panel’ y borramos al usuario ‘carlos’, completando así el laboratorio:
