2.11 Lab: Password reset poisoning via middleware | 2024
This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos’s account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server | Karthikeyan Nagaraj
2 min readJan 9, 2024
Description
This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.
Solution
- Go to My Account, Click Forgot Password, and type the username wiener
- Now Click on the Exploit Server and click Email Client at the Bottom
- Note down the URL
- Now Again, go to My Account, Click Forgot-Password type the username of Carlos, and Capture the request using Burpsuite
- Send the Request to Repeater and turn off the Intercept
- In Repeater, Add a Header at the end of the request called
X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net - Make sure that the value of the username is
carlos, remove the value of the session cookie if needed, and send the request - Go to Exploit Server, Click Access Log and you can able to see the Password reset token of Carlos that was sent by us. If you have sent the request multiple times then use the Latest token with the Help of time.
- Copy the token and paste it in the URL that we received for wiener and paste it on the browser
- Change the password, click My-Account, and Log in with the username carlos and the password you changed. And the lab will be solved.
wYouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
