4.1.web unprotected admin functionality (Web Security Academy)

Web Security Academy >> Access control >> Lab

So first we have to access the admin panel ؟؟

After collecting information on the site, I see no better guess than discovering hidden directories and files on web servers, because I don’t have any login data so we will do the following:

In this context, the command appears to be used to scan a specific URL, which is “https://0a13006e035c43fd8596df8700f9007f.web-security-academy.net/", using a specific wordlist called “fuzz.txt”, which contains a set Potential keywords that could be used in an attack on the application.

In more detail:

“-u” specifies the URL to be scanned.\  “-w” specifies the path to the wordlist to be used in the attack.

Robots.txt file is a file used by site owners to instruct search engines about which pages they are allowed to visit and which should be ignored.

When you visit this link, you will likely see restrictive search engine instructions, specifying which pages should not be indexed, and which pages should be indexed.

For example, Robots.txt files can contain instructions such as:

Determine which folders should not be indexed.\  Identify specific files that search engines should not visit.\  Determine the search engine definition sites (sitemap) for the site.

Scanning the Robots.txt file can be an important part of the security scan process and evaluating potential attacks on the site.

We will add this page with the link /administrator-panel , Let’s see what happens :

Here we have reached the admin panel , Now we will delete the user carlos :

Congratulations, you solved the lab!

See you soon in other reports….!!

Abdelwahab_Shandy

AS_Cyber