Customer Service - Broken access control and Password Cracking

A hosting, domain, and VPS service company has published a web application with supposedly secure measures. However, there are signs that some sections of the system may be improperly exposed and could contain sensitive credentials.

Your mission is to identify whether there are uncontrolled entry points, analyze potential access flaws, and determine if it's possible to simulate the behavior of legitimate users based on the exposed information.

🌱 How to Start This Lab

Follow these instructions to get started:

1. Download the virtual machine from this link:

1   https://storage.googleapis.com/cybersecurity-machines/customer-service-lab.ova

1. Import the machine into your preferred virtualization software (VirtualBox, VMware, etc.).
2. Start the VM and begin the challenge.

Recommended Tools

While the approach is up to you, you may consider using the following tools during your investigation:

• Nmap – for host and service discovery
• Gobuster, Dirb, or FFUF – for exploring hidden directories and paths
• John the Ripper, Hashcat – for analyzing and cracking password hashes
• Burp Suite, cURL, or your browser – to simulate requests or perform login attempts
• CyberChef – for quick manipulation of text and hashes

Remember: systems do not always fail due to complex issues. Sometimes, it is enough to bypass a basic access control.

Good luck!