BugBounty V1 Challenge Writeup

Challenge Name — Bug Bounty V1
Category — Web
Organizer — vulnfreak
Event — wormcon0x01 CTF
Author — th3pr0xyb0y & Aj4y
Challenge Description — ‘Our admin is active 24*7 and regularly checks his email and always visits an link received on his email to get an flag admin wants you should break into his account ! Admin Email: [email protected]Challenge Link - https://bugbountyctf.vulnfreak.org/ 
Solution - so if you see challenge description clearly it states the fact that admin is visiting every link sent to an email which means we need to find an function which revolves around sending email to a user or something very similar which involves mailer function. so moving on if you browse a site bit there is an forget password option and it is also mentioned in description that we need to break into admin account so we might try sql injection on login form but there is no sense because if we relate to the fact that we need to involve a email function we can only think of one way which is breaking into forget password functionality .

Further analysis show when we do forget password of any email we get an email like below .
email snapshot

If you observe the request made to forget password endpoint it looks like below

forgot password request

let’s change the HOST header to Attacker.com like below

host changed in request

Checking Email As We Got 200 Ok Status Code !

if you see the link the host of link has changed to attacker.com

if you see the host of the link has changed to attacker.com making this webapp vulnerable to HOST Header Injection . it is also mentioned that the admin vists all the links sent to his inbox and we know that there is host header injection and we do know admin email !

so let’s make a request to admin email with burp collaborator url or using ngrok to interact with request if admin is indeed visting he might leak his token to our HOST on checking the burp collaborator you can find a reset token .

let’s open the link using the real hostname which is http://bugbountyctf.vulnfreak.org/ or the ip address and make a request .

the actual request will look like http://bugbountyctf.vulnfreak.org/reset-password/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTJhMWRhYWJhODNhMjU5NTQ0ZTFjYjciLCJpc3MiOiJub2RlYXBpIiwiaWF0IjoxNjMwNTA3Mjg0fQ.JnZXhUsMeDUNdsj5UE2ikH1H2vxp16sWIv2hvmyXnHo

the actual request

Now just go to link reset the admin password and login and you will see flag as admin name !

Here Is Your Flag wormcon{h0$t_h3ad3r_1s_th3_w4y_t00_pwn_4dm1n}

Conclusion :-

Step 1- Go To Forget Password Page

Step 2- Enter admin email in input box [email protected]

Step 3- Change Host To Ngrok Or Burp Collabrator or you Can Use RequestBin

Step 4- Make An Request To Endpoint Of Forgot Password

Step 5- Grab Reset Token From ngrok Or Burp Collab Or RequestBin

Step 6- Reset Password & Login To Admin

Step 7- Get The Flag wormcon{h0$t_h3ad3r_1s_th3_w4y_t00_pwn_4dm1n}

Please Note – This Writeup Has Been Written In Hurry So Sorry For Bad English !

Leave a Comment

Your email address will not be published.