forgot-password-bypass-challenge.gohtml (1342B)
1 {{ define "sub-content" }} 2 <h3>Forgot-Password Bypass</h3> 3 <p> 4 I have made a git branch named "forgot-password-bypass-ctf" in dkforest repository -><br /> 5 <a href="http://git.dkforestseeaaq2dqz2uflmlsybvnq2irzn4ygyvu53oazyorednviid.onion/n0tr1v/dkforest/src/forgot-password-bypass-ctf"> 6 http://git.dkforestseeaaq2dqz2uflmlsybvnq2irzn4ygyvu53oazyorednviid.onion/n0tr1v/dkforest/src/forgot-password-bypass-ctf 7 </a><br /> 8 </p> 9 <p> 10 The goal of this CTF is to use the forgot-password form to reset another user's password.<br /> 11 The code is vulnerable and allow for such thing to happen.<br /> 12 </p> 13 <p> 14 Instructions:<br /> 15 <ul> 16 <li>Install and run locally dkforest using the "forgot-password-bypass-ctf" branch.</li> 17 <li>Create a user</li> 18 <li>Setup a PGP key in that user's profile (to enable the password recovery feature)</li> 19 <li>Logout</li> 20 <li>Use the form "forgot-password" to reset that other user's password.</li> 21 <li>Login with the new user account.</li> 22 </ul> 23 </p> 24 <p> 25 Pro tips: 26 <ul> 27 <li>In development mode, you can fill the captcha with <code>000000</code> and it will always be accepted.</li> 28 </ul> 29 </p> 30 {{ end }}