Unprotected admin functionality with unpredictable URL

Taji AbdullahTaji Abdullah
2 min read

Intro

This was also another pretty simple lab, it took less than 2 minutes to solve. I definitely spend more time on these write ups then on the actual lab exercises…for now. I believe things will get harder, and this is still the apprentice path. I would have to complete the Apprentice learning path to get to what might be called the Practitioner learning path.

The Lab

So once again, Carlos has to go…

The Analysis

Solving this lab is the same as the previous one. The clue was given in the reading prior to the exercise. The reading material mentioned that there cold be some JavaScript that contained functionality that would indicate how to find the admin panel. This is how I went about my analysis:

  1. I immediately right clicked on the labs web page to investigate the HTML and look for a link to a JavaScript file, but what I founs was embedded JavaScript instead:

    The path to the admin panel:

     /admin-vzhpge
    
  2. Next step is to append this to the web page url to uncover the admin panel:

  3. And now, just as in the previous lab exercise, we give Carlos his send off:

What I learned

  • JavaScript could contain some clues to finding hidden pages that might be accessible.
0
Subscribe to my newsletter

Read articles from Taji Abdullah directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Taji Abdullah
Taji Abdullah