We go to (http://10.10.28.217/customers/signup). When we go to the site, we see the Acme IT Support signup page.
If we write admin instead of registering here and fill in the remaining blanks randomly, it returns us as follows.
In the next step, we use the following command.
The output of the code is as follows.
What is the username starting with si***?
"simon"
What is the username starting with st***?
"steve"
What is the username starting with ro***?
"robert"
Task 3 Brute Force
At this stage, we are brute-force attacking this login panel, whose usernames we know.
Our answer had already appeared in the terminal.
Task 4 Logic Flaw
We're going to examine the Reset Password function of the Acme IT Support website (http://10.10.28.217/customers/reset). We see a form asking for the email address associated with the account on which we wish to perform the password reset. If an invalid email is entered, you'll receive the error message "Account not found from supplied email address".
the username is submitted in a POST field to the web server, and the email address is sent in the query string request as a GET field.
For the next step, we'll need to create an account on the Acme IT support customer section, doing so gives you a unique email address that can be used to create support tickets. The email address is in the format of {username}@customer.acmeitsupport.thm
We create an account which name is user
Now rerunning Curl Request 2 but with our @acmeitsupport.thm in the email field you'll have a ticket created on your account which contains a link to log you in as Robert. Using Robert's account, you can view their support tickets and reveal a flag.
