Register an account then while logging in you would notice something suspicious that session cookie is exactly 32 characters

image.png

when tried to reverse lookup the session cookie using https://crackstation.net/

image.png

Found it as 4 which seems to be user ID

echo -n 3 | md5sum                                                          
eccbc87e4b5ce2fe28308fd9f2a7baf3  -

Try accessing the dashboard using the session cookie as md5 hash of 3

image.png

Seems to work and we had got access to Michael the intern

Trying with md5 hash of 1,2 was redirected to the login page

Found a new option in sidebar as Inbox (then a new endpoint as /inbox)

image.png

This hints towards some misconfig in the forgot password feature and also got a new email id possibly with user id of 1 or 2. (edward.department@securemfb.org)

Visiting the profile page shows the email ID of Michael (michael.intern@securemfb.org)

So let’s try to explore the forget password functionality with michael as we have access to its inbox)

Using the match and replace feature of Burp suite helps in automating the change of session cookies

We see a password reset request in the inbox