Insane$6001h
Por @gorkaExploit a case-sensitive OTP tracking system to brute-force the admin password reset
Entorno seguro y aislado
Crea una cuenta y suscríbete para acceder a todos los labs. Practica en un entorno real y seguro.
Cuando resuelvas este lab desbloqueas este logro compartible
# Using autodeploy
bash autodeploy.sh
# Or manually
docker compose up --build -d
Access the lab at: http://localhost:1337
1. Login as user@securecam.io
2. Use "Invite to Camera Group" to discover admin@securecam.io
3. Analyze password reset flow:
- POST /api/auth/forgot-password → generates 4-digit OTP
- POST /api/auth/reset-password → email + new_password + otp
- 4 failed attempts → email blocked
4. Discover: OTP tracking is case-sensitive, password reset is case-insensitive
5. Write Python3 exploit:
- Generate email case variants (admin@, Admin@, aDmin@, etc.)
- For each variant: request OTP → try 4 codes → move to next variant
6. Run exploit → password reset → login as admin → flag
The server stores OTP attempts using the exact email string as the key (case-sensitive).
After 4 failed attempts for a specific email string, it is blocked.
However, the actual user lookup for password reset uses LOWER(email) = LOWER(?),
meaning all case variants of the email update the same user's password.
This means each case variant of the admin email (e.g., Admin@securecam.io, aDmIn@securecam.io)
gets its own 4 fresh OTP attempts, effectively bypassing the rate limit.
With 16 alphabetic characters in admin@securecam.io, there are 2^16 = 65,536 possible case variants,
each with 4 attempts = 262,144 total attempts, far exceeding the 10,000 possible 4-digit OTP codes.
Access the step-by-step interactive writeup at: http://localhost:1337/writeup
Bug Bounty Labs by @_.gorkaaa.b
Suscríbete para descargar