Rating: 2.0

## Web - Door Lock


The door is open to all! See who is behind the admin door??

Author: **r3curs1v3_pr0xy**

Following the same format as the previous web challenge, we are back within our food based website.


Here is the Login page within the site menu.


This time we need to register and then sign in.


Now we have full access to our profile.


If you look closely, as I was using the built-in browser within ZAP, you can see in the URL that I have a Profile ID of 1357.

I initially checked the profiles of users 0 and 1 to see if I could access the admin profile, to no avail. I did try some additional random id numbers as I did not want to brute force the page as I thought this was not permitted.

However, once the challenge was finished I set up a ZAP fuzzer for 3000 id numbers.


Opened fuzzer.


Opened payloads.


Generated number payload.


Started the fuzzer. Once it was completed, I was able to review the complete list. One way would be to filter by "size response body" and look for the difference between ids.


However as we were expecting a flag, I utilised the search using the HTTP Fuzz Results for the flag prefix - GrabCon.


This came up with two hits, both with the id=1766.

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: PHPSESSID=b5424674b8786e71d7ae5eb8bacb8bb7
Upgrade-Insecure-Requests: 1

Now all we need to do is either go to the webpage and amend the id or look at the ZAP response for that id, where we find the words and flag highlighted in red.


##### GrabCON{E4sy_1D0R_}

Original writeup (https://github.com/Kartibok/Capture-the-Flag/blob/master/competitions/grabcon/door_lock.md).