webProeasy

Lab 153 — FlowDesk — CSRF Account Takeover via Email Change

hackadvisor

Task: Express.js workspace platform where email change endpoint lacks CSRF protection while name/password endpoints are protected. Solution: exploited password reset token disclosure to take over admin account, or alternatively use CSRF via admin bot to change admin's email, then reset password and access admin panel for flag.

$ ls tags/ techniques/

information_disclosure express csrf admin_bot decoy_flag account_takeover password_reset_token_leak samesite_lax missing_csrf_token email_change

admin_account_takeoverdecoy_flag_evasionsamesite_lax_top_level_navigationcsrf_on_email_change_endpointpassword_reset_token_disclosureform_urlencoded_csrf

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 110 — FlowDesk — Mass Assignment Privilege Escalation— hackadvisor
[web][Pro]Lab 118 — FlowDesk — Predictable Password Reset Token— hackadvisor
[web][Pro]Lab 192 — StockFlow — Broken Authentication via CSRF Token Reuse— hackadvisor
[web][Pro]DeskFlow — Session Fixation via Support Ticket URL— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor