Metasploit 2021

4 of diamonds

Solved by: Starry-Lord

Port 10010

Here we had a web app with a register and login page.

Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.

<script>
  var current_account = {
    "id":2,"username":starlord,"role":"user","created_at":
    "2021-12-03T6:36:42.821Z","updated_at":"2021-12-03T6:36:42.821Z"
  };
</script>

By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.

By doing so I got a session with an additional admin button, which gave me the flag.