A Short Story of Vertical Privilege Escalation (Admin Account Takeover)
Hello Guys, Hope all of you are doing well. I am Amiya Behera, an Information Security Analyst in a private organization in India. also a part-time bug hunter. As this is my 1st write-up so forgive me if any mistake or noob thing you found. Here I am going to write about one of my finding where I can access the admin privilege with only normal user access.
What is Privilege Escalation:
Privilege escalation vulnerability is also known as Broken Access Control Vulnerability.
Privilege Escalation is a type of attack in which a hacker exploits the web app/software to gain access to a resource that is usually protected by the application. Attackers start by finding weak points in an organization’s defenses and gaining access to a system. Where attackers will get access to Some private information or can do CRUD(Create-Read-Update-Delete) any user or data.
Privilege escalation basically divided into two types:
1: Vertical Privilege Escalation: From User to Superuser(admin)
A normal user or a low privileged user who gets access to which is only defined to superuser or admin user.
2: Horizontal Privilege Escalation: From a non-user of a system to the user.
A normal user with normal access or without any account in the system use some vulnerability of the web app in order to gain access to functions/content accessible to other normal users.
What a boring. Now let’s talk about how I reproduce this issue.:
I work for an organization where I got a project to do Penetration Testing. The application is a document user application. Where a user can upload, check other documents, can do internal chatting with admin and other users, can create his/her own organization.
When I start testing I have a user test account (docuser). I enter my credentials and in the dashboard I found I only have access to Dashboard, Documents and Schedule Change. I capture the login request in burpsuite to check if anything can be done and found in response section “Userrole”:docstaff.
where the user role is set to “docstaff”. And it looks suspicious to me I read some blog/write-up regarding this and found some possible exploitation. Once again I capture the request and click on {do intercept → response to this request}. Now I try to change the “Userrole” to “admin”, “administrator” but got a normal user dashboard. But when I change it to “super” and forward the request got Admin Dashboard access.
In the admin dashboard where now I can change and see all other user’s details and sensitive(private) documents, internal messages of admin. and most important can change the admin & user’s email id and password. where I can give permission to any user to do CRUD(Create-Read-Update-Delete) operation.
As I already told you earlier that this a project of my office so there is only 2 account in the dashboard and it is on QA.
Hope this will help in your #bugbounty to earn some $$$$.
Thanks to #infosec and #bugbounty community.
Thanks for reading. Thank you all leet for sharing your bug-bounty tips. Hope in the future I can contribute more to this community.
If you like this write-up, Please give a clap and let me know if anything or any method I can try.
For any quick query or getting in touch with me, You can follow me on
Twitter: https://twitter.com/StormBreaker_AB
Linkedin: https://www.linkedin.com/in/amiya-behera-62796aa6/