I have been poking this challenge for a few days now. I have created users and attempted to enumerate more users. I can see that the SIPS 0.2.2 vulnerability (username enumeration) is present, but I cannot seem to exploit it.
Well, I’m blocked too. I have a new valid token (200 OK ) with a relevant role, but the substitution doesn’t work (nothing else happen). However, I suspect my token to be invalid, this is the first time that I use this tool. So I don’t know if I have to push my research elsewhere or if I have to fix my mess. Any tips?
@Omnisec said:
I’m not having a difficulty while “busting” the cookie. However, i do need a little bit of push regarding how to reach the administrator account?
I managed to “bust” the cookie too. I seem to have trouble manipulating it to become “an” admin or become “the” admin. Guys, any hints towards that?
You’re serious right now?? How do you seriously say “I don’t know if this is a spoiler or not” ?? You basically just gave anyone who has no idea how to get to this point half of the challenge for free. This is a huge spoiler… This much information should never be posted on ANY challenge/machine that isn’t retired … Wow…