Lab 5 - Reflected

Objective: Privilege Escalation

We login using the given credentials:

wiener:peter

Looking at the fields below, looks like its updating the address. Let's take a look at the request being sent

Yes, its goinng through the /change-address endpoint and sending a POST request with the data being in JSON.

In the response section, we see a property set for our user isAdmin: false

We can attempt to test Server-Side Prototype Pollution by polluting the global Object.prototype. First send the request to Repeater . Then, add our property

{
	"__proto__":{
		"foo":"bar"
	}
}

Next send the request and look at the Response

Success, we polluted the prototype. Now we can do stuff like change the isAdmin property to true

{
	"__proto__":{
		"foo":"bar",
		"isAdmin":"true"
	}
}

Look at the Response again

Success! Now refresh the website page and we have received Admin access

PreviousRCE via Methods NextLab 6 - Status Code & Charset

Last updated 9 months ago

hashtagObjective: Privilege Escalation

Objective: Privilege Escalation