Metasploit 2021

4 of diamonds

Solved by: Starry-Lord

Port 10010

Here we had a web app with a register and login page.

Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.

  var current_account = {

By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.

By doing so I got a session with an additional admin button, which gave me the flag.

Published on : 08 Dec 2021