Open in app

Sign in

Write

Sign in

Privilege Escalation: From being a normal user to admin

Paras Arora
2 min readJan 5, 2021

Privilege Escalation: Privilege escalation happens when an attacker exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to system resources that should normally be unavailable to any unauthorized user.

Reference:https://www.netsparker.com/blog/web-security/privilege-escalation/

Hi Infosec Community,

I hope everyone is fine and hitting hard on the applications, I encountered a privilege escalation issue so let’s discuss about it.

I was hunting on a private program and started with subdomain enumeration with Subfinder.

subfinder -d domain.com | httpx -o /output_file.txt

After that, I ran Waybackurls on output_file.txt.

cat output_file.txt | waybackurls > /wayback.txt

I was searching for various keywords in the wayback.txt file and finally got something really interesting having the keyword “admin”

https://www.domain.com/xxx/xxxx/page/login/?redirect_uri=https%3A%2F%2Fwww.domain.com%2Fadmin%2F&app_id=xx

Now I signed up for the account on domain.com/register to get an insight of the application and was exploring the application while keeping an eye on the above url which I found in the wayback.txt. I was exploring the features and there was nothing related to admin.

So, out of curiosity, I opened a new tab adjacent to the current tab I was logged into, with a normal user account and pasted the above URL.

After the results displayed on my screen, I analyzed the resultant webpage for a while.

So, after hitting the URL which was redirecting to URL consisting of “admin” keyword and app_id of admin, my normal user account changed to the admin and I was able to access the functionalities which were unauthorized initially.

So, this is how I was able to get access to all the admin functionalities and achieved the higher privileged role on the web application.

Takeaways

  • Explore the application thoroughly
  • Always look for sensitive keywords like admin, api_key, token etc.
  • Look for urls having “admin” keyword in it
  • Be curious, you will definitely land up with a great finding
  • Open higher privileged account requests directly in the new tab adjacent to the tab in which normal user is logged in, sometimes you will get access to functionalities which are not authorized for user.

Twitter: https://twitter.com/parasarora06

Bug Bounty
Cybersecurity
Hacking
Infosec
Bug Bounty Writeup

--

--

Paras Arora

Written by Paras Arora

331 Followers

Social media: @parasarora06 , Penetration Tester | Application Security

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams