We first logged in as the user wiener and observed that our email address was:
wiener@exploit-0a7f00df03014a6b8011570501300056.exploit-server.net
We then logged out and used the “Forgot password” function during login. The response indicated:
“Please check your email for a reset password link.”
We navigated to the Email Client page and found the password reset link:
At first, we were unable to identify the token type being used:
Upon capturing the request during the password reset process, we identified that the application was using a temporary token:
Initially, we removed all parameters and attempted to change the username to the target user we wanted to exploit—but this failed:
We then re-created the request from scratch. This time, without removing the entire temp-forgot-password-token parameter, we only removed its value. Surprisingly, we were able to change the username to the target user and reset their password to one of our choice:
We then logged in as that user and successfully solved the lab:
