[Exploit a race](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) in **`POST /my-account/change-email`** so your account claims **`[email protected]`**. That address carries a pending **admin invite**. After takeover: 1. Access **Admin panel** 2. Delete user **carlos** Creds to log in: `wiener:peter`. Email inbox: anything sent to `@exploit-<YOUR-ID>.exploit-server.net`. --- ## Threat model (1-paragraph mental model) The app stores **one** “pending email change” per user. Each request updates the **same DB row**. Email sending is asynchronous: a worker renders the template by **re-reading** the pending email from DB. If two change requests race, the worker can **send to your inbox** but render the body/token for **Carlos’s address**. Clicking that link binds **Carlos** to your session. --- ## Step-by-step (strictly per walkthrough) ### 1) Baseline flow 1. Log in as `wiener:peter`. 2. Go to **Change email**. Submit: `anything@exploit-<YOUR-ID>.exploit-server.net`. 3. Open the **email client** (the lab’s built-in inbox). Click the confirmation link. Confirm your email updates on **My account**. ### 2) Confirm “single pending email” invariant 1. Submit **two different** `@exploit-<YOUR-ID>.exploit-server.net` emails **back-to-back**. 2. In the inbox, open the **first** message’s link → it’s **invalid** now. **Inference:** app stores **only one** pending email (row overwritten), so a **race** is viable. ### 3) Benchmark with Repeater (sequence vs parallel) 1. From Proxy history, send **`POST /my-account/change-email`** to **Repeater**. 2. Create a **Tab Group**. **Duplicate** until you have \~20 tabs. 3. In each tab, set a **unique** mailbox (e.g., `t1@…`, `t2@…`, …). 4. **Send in sequence** (separate connections): you should get **one email per request**. 5. **Send in parallel**: you’ll observe that some emails’ **body address** doesn’t match the **recipient**. **Inference:** template reads “pending email” at render time → window exists. ### 4) Exploit (two-tab parallel send) ![[CleanShot 2025-08-18 at [email protected]]] 1. New tab group with **two** copies of `POST /my-account/change-email`: * **Tab A**: `email=anything@exploit-<YOUR-ID>.exploit-server.net` * **Tab B**: `[email protected]` 2. **Send group → In parallel** (prefer one connection; if Burp shows the option, **disable** “separate connections”). If no win, try the same with **separate connections**. Repeat a few times. ![[CleanShot 2025-08-18 at [email protected]]] ### 5) Claim and escalate 1. In the inbox, find a fresh confirmation mail where the **body** shows **`[email protected]`** (even if sent to your `@exploit-…` address). 2. Click the link → your account email becomes **Carlos**. 3. Go to **My account** ⇒ link to **Admin panel** appears. 4. Open **Admin** ⇒ delete user **carlos**. Lab solved.