On this page
Unprotected Admin Functionality with Unpredictable URL
Lab
Unprotected admin functionality with unpredictable URL · Apprentice
Solution
Given
This lab has an unprotected admin panel. It's located at an unpredictable location, but the location is disclosed somewhere in the application.
Solve the lab by accessing the admin panel, and using it to delete the user carlos.
Analyzing the task
An open admin panel sits at a random URL. We need to find the address, log in, and delete a user. Let's do some recon. Worth paying attention to JS files and code — somewhere there should be logic that renders admin links. Possibly on a product page — a guess.
Recon
I walked around the site: looked at a product, return to list, My account. Checking request history in Burp. No obvious JS file loads.
Let's look at the HTML of GET /product?productId=2 — I see an interesting piece of code:
<script>
var isAdmin = false;
if (isAdmin) {
var topLinksTag = document.getElementsByClassName("top-links")[0];
var adminPanelTag = document.createElement('a');
adminPanelTag.setAttribute('href', '/admin-q4va6y');
adminPanelTag.innerText = 'Admin panel';
topLinksTag.append(adminPanelTag);
var pTag = document.createElement('p');
pTag.innerText = '|';
topLinksTag.appendChild(pTag);
}
</script>
Found the admin URL — /admin-q4va6y.
We go to the admin panel and delete the user. Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.