I have become admin, manipulator of users
Process:
It was a page with Username (prefilled) and Password fields.
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-1-edited.png?resize=1272%2C712&ssl=1)
Entering any password and submitting. It shows a button to reset the password. But it also had a hidden field username.
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-3.png?resize=1024%2C666&ssl=1)
Click on Request Reset button and it sends a request to server with your username in POST data. It returns the password in response as a hidden input field.
Ek taraf se username daalo, dusri taraf se password nikalo.
Solution:
Intercept this request and change the username to admin. It will give admin’s new password.
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-5.png?resize=1024%2C488&ssl=1)
Now again submit the login form with username admin and password you got from response.
And we got the flag!
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-6.png?resize=739%2C319&ssl=1)
Leave a Reply