When you're in you can go to admin_tickets and change the Authorization header to admin instead of robert and the password the same as the one you changed it to then encode it as base64 

Here is the output:

I've tried with diego:dCb#1!x0%gjq. The automation tasks has been blocked due to this issue. Please resolve this at the earliest

get invalid token too quick on this box

(November 12, 2022, 09:10 PM)Hacker2222 Wrote: u can change host header of forgot request to your own ip. then other reset requests get send to your listener. most tokens dont work dont know why sometimes they work. u can reset password and get into panel. but password gets reset back after 2 mins .................................................................................. worst box ever.

Can relate.

But are you receiving different tokens each time?
Even if I left listener still on I'm receiving the same token over and over until i reset the machine. (ofc token will be different but it will keep to appear)

(November 12, 2022, 09:48 PM)yumi Wrote: get invalid token too quick on this box

Follow what hacker2222 said above

thanks you

(November 12, 2022, 09:10 PM)Hacker2222 Wrote: u can change host header of forgot request to your own ip. then other reset requests get send to your listener. most tokens dont work dont know why sometimes they work. u can reset password and get into panel. but password gets reset back after 2 mins .................................................................................. worst box ever.

I think i found the issue.

some tokens have special chars (like '/') - copy the token and encode it as URL and put in token field

i always get invalid token. i think im doing something wrong.

its password=test&token= ?

or i you guys just added this token= in browser ?

(November 12, 2022, 10:56 PM)yumi Wrote: i always get invalid token. i think im doing something wrong.

its password=test&token= ?

or i you guys just added this token= in browser ?

you should navigate to
http://[machine.ip]/reset?token=[URL_ENCODED_CAPTURED_TOKEN]

to encode you can go in burp to -> Decoder -> paste token -> encode as URL. Copy encoded URL and paste it in ?token=[] in the web browser url. Then type new password and login through main site

diego@forgot:~$ sudo -l
Matching Defaults entries for diego on forgot:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User diego may run the following commands on forgot:
    (ALL) NOPASSWD: /opt/security/ml_security.py

I need to root Help me! big hint need

can someone explain more how to get the token using password reset poisining pls ? after modifying the Host header so that it points to a domain that i control what should i do ?