[Exploit a race](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) in **`POST /my-account/change-email`** so your account claims **`
[email protected]`**. That address carries a pending **admin invite**. After takeover:
1. Access **Admin panel**
2. Delete user **carlos**
Creds to log in: `wiener:peter`.
Email inbox: anything sent to `@exploit-<YOUR-ID>.exploit-server.net`.
---
## Threat model (1-paragraph mental model)
The app stores **one** “pending email change” per user. Each request updates the **same DB row**. Email sending is asynchronous: a worker renders the template by **re-reading** the pending email from DB. If two change requests race, the worker can **send to your inbox** but render the body/token for **Carlos’s address**. Clicking that link binds **Carlos** to your session.
---
## Step-by-step (strictly per walkthrough)
### 1) Baseline flow
1. Log in as `wiener:peter`.
2. Go to **Change email**. Submit:
`anything@exploit-<YOUR-ID>.exploit-server.net`.
3. Open the **email client** (the lab’s built-in inbox). Click the confirmation link.
Confirm your email updates on **My account**.
### 2) Confirm “single pending email” invariant
1. Submit **two different** `@exploit-<YOUR-ID>.exploit-server.net` emails **back-to-back**.
2. In the inbox, open the **first** message’s link → it’s **invalid** now.
**Inference:** app stores **only one** pending email (row overwritten), so a **race** is viable.
### 3) Benchmark with Repeater (sequence vs parallel)
1. From Proxy history, send **`POST /my-account/change-email`** to **Repeater**.
2. Create a **Tab Group**. **Duplicate** until you have \~20 tabs.
3. In each tab, set a **unique** mailbox (e.g., `t1@…`, `t2@…`, …).
4. **Send in sequence** (separate connections): you should get **one email per request**.
5. **Send in parallel**: you’ll observe that some emails’ **body address** doesn’t match the **recipient**.
**Inference:** template reads “pending email” at render time → window exists.
### 4) Exploit (two-tab parallel send)
![[CleanShot 2025-08-18 at
[email protected]]]
1. New tab group with **two** copies of `POST /my-account/change-email`:
* **Tab A**: `email=anything@exploit-<YOUR-ID>.exploit-server.net`
* **Tab B**: `
[email protected]`
2. **Send group → In parallel** (prefer one connection; if Burp shows the option, **disable** “separate connections”).
If no win, try the same with **separate connections**. Repeat a few times.
![[CleanShot 2025-08-18 at
[email protected]]]
### 5) Claim and escalate
1. In the inbox, find a fresh confirmation mail where the **body** shows **`
[email protected]`** (even if sent to your `@exploit-…` address).
2. Click the link → your account email becomes **Carlos**.
3. Go to **My account** ⇒ link to **Admin panel** appears.
4. Open **Admin** ⇒ delete user **carlos**. Lab solved.