On this page
User Role Can Be Modified in User Profile
Lab
User role can be modified in user profile · Apprentice
Solution
Given
This lab has an admin panel at /admin. It's only accessible to logged-in users with a roleid of 2.
Solve the lab by accessing the admin panel and using it to delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter
Analyzing the task
Looks like a specific hint here — the admin panel is accessible to users with roleid=2, and the role can apparently be changed in the user profile. We need to reach the admin panel and delete the user carlos.
Recon
Let's check the user profile — there's a change-email form. OK, let's change it. The request goes out:
POST /my-account/change-email
{"email":"xxx@xxx.ru"}
The response:
{
"username": "wiener",
"email": "xxx@xxx.ru",
"apikey": "sNK5lPO4Q9iCMxU18Tevh5HTKt9NmR9Y",
"roleid": 1
}
Interesting — so we might pass the role along with the email and change it? We send the request into Repeater, add the roleid field with value 2. Send — voilà, the role changed.
Reload the page, the admin panel is available. Delete the user. Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.