# Authentication bypass via information disclosure

## Description

This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.

To solve the lab, obtain the header name then use it to bypass the lab's authentication. Access the admin interface and delete the user `carlos`.

You can log in to your own account using the following credentials: `wiener:peter`

## Solution

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2F6uR6XFfzlJzbzu5tdr1o%2Fimage.png?alt=media&#x26;token=86aaa8a9-3fbe-4a71-9be0-ea200d194df2" alt=""><figcaption></figcaption></figure>

Starting access to wiener user <https://0ae80062039d9b5194f2429800130047.web-security-academy.net/login>

Checking page sources there're not of interesting, so we can try access to admin page adding /admin path to our URL: <https://0a160012030fde108045dab900300013.web-security-academy.net/admin>

and we can see this information disclosure message: "Admin interface only available to local users"

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FPrqaUWdUDsjLcB0pQcvQ%2Fimage.png?alt=media&#x26;token=f6d9997a-ffbf-4934-b176-86ed3e96f453" alt=""><figcaption></figcaption></figure>

so, we start to analyze request for understanding more things

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2F75TGiRJPx78cMRxg6lOP%2Fimage.png?alt=media&#x26;token=f7ed9f69-46cd-49fc-9d27-4dc3c79e4e41" alt=""><figcaption></figcaption></figure>

We can try to change request method to see if the answer changes.

It will happen via TRACE method with the response status code 200.

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FrFWW4xgs1xalj7FzTRZf%2Fimage.png?alt=media&#x26;token=fa7968bc-66ca-43c3-89d7-ca63e7b81cb9" alt=""><figcaption></figcaption></figure>

Trace is a debug method and it display us an important information as: X-Custom-IP-Authorization: 37.101.171.137

We can copy it inserting a localhost IP: 127.0.0.1 in our request and change again method to GET

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FZm3LfZED1293v4S3Ypdi%2Fimage.png?alt=media&#x26;token=0cd524ba-f5a4-4489-b408-1dbf21ec136b" alt=""><figcaption></figcaption></figure>

Now we're into admin panel having the permission to delete 'carlos' user

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FYab5daO55csoi8XQrZDZ%2Fimage.png?alt=media&#x26;token=39df7eae-414f-4e21-85d3-c3a5cd7157f5" alt=""><figcaption></figcaption></figure>

analyzing the reponse, there's a URL that permits to delete 'carlos' account: `GET /admin/delete?username=carlos`

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FULYDDV8Kfdu3LyWyvp6w%2Fimage.png?alt=media&#x26;token=e732e870-c1e9-4ab4-aacd-9c73b2afe1a9" alt=""><figcaption></figcaption></figure>

Copy and add it into our request to delete account and solve the lab.

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FVmAodX3dysCxmQIjTHVZ%2Fimage.png?alt=media&#x26;token=3ca2b1f9-e6c1-4243-93bb-fcba629f40d5" alt=""><figcaption></figcaption></figure>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FTyOKzJfKaeEuBgnO0qao%2Fimage.png?alt=media&#x26;token=25b5ce08-2b66-409e-b39d-3301a0e349f1" alt=""><figcaption></figcaption></figure>