Privilege Escalation: From being a normal user to admin

Privilege Escalation: Privilege escalation happens when an attacker exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to system resources that should normally be unavailable to any unauthorized user.

Reference:https://www.netsparker.com/blog/web-security/privilege-escalation/

Hi Infosec Community,

I hope everyone is fine and hitting hard on the applications, I encountered a privilege escalation issue so let’s discuss about it.

I was hunting on a private program and started with subdomain enumeration with Subfinder.

subfinder -d domain.com | httpx -o /output_file.txt

After that, I ran Waybackurls on output_file.txt.

cat output_file.txt | waybackurls > /wayback.txt

I was searching for various keywords in the wayback.txt file and finally got something really interesting having the keyword “admin”

https://www.domain.com/xxx/xxxx/page/login/?redirect_uri=https%3A%2F%2Fwww.domain.com%2Fadmin%2F&app_id=xx

Now I signed up for the account on domain.com/register to get an insight of the application and was exploring the application while keeping an eye on the above url which I found in the wayback.txt. I was exploring the features and there was nothing related to admin.

So, out of curiosity, I opened a new tab adjacent to the current tab I was logged into, with a normal user account and pasted the above URL.

After the results displayed on my screen, I analyzed the resultant webpage for a while.

So, after hitting the URL which was redirecting to URL consisting of “admin” keyword and app_id of admin, my normal user account changed to the admin and I was able to access the functionalities which were unauthorized initially.

So, this is how I was able to get access to all the admin functionalities and achieved the higher privileged role on the web application.

Takeaways

  • Explore the application thoroughly

Twitter: https://twitter.com/parasarora06

Social media: @parasarora06 , Penetration Tester | Application Security