This website has an unauthenticated admin panel at
/admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports theX-Original-URLheader.To solve the lab, access the admin panel and delete the user
Lab link.carlos.
We try to access the /admin URL. We can’t access and we are blocked.
We send the request to the repeater. We clear the Get request URL and add the “X-Original-URL: /admin” parameter to the request.
We delete user Carlos and the lab is solved.
Hello, I am Aleyna Doğan. I work as a Sr. Cyber Threat Intelligence Analyst. In my blog, we write blog posts that my friends and I want to share. Have a good read.