Unprotected admin functionality

Taji AbdullahTaji Abdullah
2 min read

Intro

This was another quick and simple lab in the Web Security Academy Apprentice learning path. So far these early introductory labs seem almost similar to a CTF exercise. Either that, or past CTF experience is giving me a leg. Honestly I want to get to some harder stuff that will really get me to solving more complex problems. I also should know better, and be careful what I wish for…

The Lab

This lab has an unprotected admin panel that needs to be found. The goal of this lab is to delete a user named Carlos.

The Analysis

These are the steps I took to analyse and solve this lab.

  1. Based on the reading preceding the lab, the first thing I did was append:

     /robots.txt
    

    to the URL of the labs web page. This returned this result:

  2. That looks like the path to an admin panel to me, so I also appended that to the labs web page URL:

    and it was exactly what I thought it was. On the admin panel I can see two users.

  3. Deleting Carlos solves the lab so Carlos has to go. Sorry Dude, nothing personal…

What I learned

  • Checking a websites robots.txt file could possible yield some clues about potential vulnerabilities.
0
Subscribe to my newsletter

Read articles from Taji Abdullah directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Taji Abdullah
Taji Abdullah