Host Hijack
Can you hijack the admin account and escalate to root?
MediTrack Health's password reset feature has a subtle flaw in how it constructs reset links. Exploit it to take over the admin account, then find a way to escalate your privileges on the server.
Host header injection is a web application vulnerability that exploits how applications use the HTTP Host header to generate links, redirects, and other content. One of the most dangerous manifestations of this vulnerability is password reset poisoning, where an attacker manipulates the Host header to redirect password reset links to a server they control, enabling account takeover without any interaction from the victim beyond clicking the reset link.
How Password Reset Poisoning Works
When a user requests a password reset, the application typically generates a unique token and constructs a reset URL using the Host header from the incoming request. If the application blindly trusts the Host header, an attacker can initiate a password reset for a target account while injecting a malicious Host header pointing to their own server. The reset email sent to the victim contains a link with the attacker's domain, and when clicked, the reset token is leaked to the attacker's server - granting them the ability to reset the victim's password and take over the account.
Real-World Impact and Attack Chains
Password reset poisoning has been found in numerous production applications, including major web frameworks and CMS platforms. The vulnerability is particularly dangerous in healthcare, financial, and administrative systems where account takeover can lead to access to sensitive data. In penetration testing scenarios, gaining admin access through password reset poisoning is often chained with additional vulnerabilities - such as command injection in administrative tools - to escalate from web application compromise to full server access and privilege escalation.
Detection and Prevention
Applications should never use the Host header directly when constructing URLs in emails or redirects. Instead, the application's domain should be stored in a configuration file and used consistently. Server-side validation of the Host header against a whitelist of allowed domains prevents manipulation. Security headers like X-Forwarded-Host should be treated with the same caution. Regular security testing that includes Host header manipulation helps identify these vulnerabilities before they can be exploited.
What You Will Learn
- Understand how Host header injection vulnerabilities work in web applications
- Learn password reset poisoning techniques for account takeover
- Practice exploiting HTTP header manipulation in authentication flows
- Chain web application access with command injection for deeper compromise
- Develop privilege escalation skills on Linux systems
- Recognize how to defend against Host header injection attacks
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
Launch your dedicated machine to begin hacking
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free
