search
LinkedInGitHub

Vulnerable Password Reset

hashtag
Which city is the admin user from?

This assessment has a web application with a password reset function that has a security question. In order to try to get the password, we'll try to use a wordlist containing city names.

Step 1 - Get the wordlist:

  • Download the full CSV wordlistarrow-up-right

  • Reduce the wordlist to contain only city names

    • cat world-cities.csv | cut -d ',' -f1 > city_wordlist.txt

Step 2 - Intercept the Security Question POST Request:

  • Use Burp Suite to intercept the Request

Step 3 - Brute-force the Security Question:

  • With the POST Request information build the following ffuf command:

hashtag
Reset the admin user's password on the target system to obtain the flag.

Step 1 - Use the city discovered to answer the first question to reset the admin's password

Step 2 - Change the password

Step 3 - Login with the new credentials to get the flag!

PreviousBrute-Forcing 2FA CodesNextAuthentication Bypass via Direct Access

Last updated