Privilege Escalation with simple recon

Mayur Gupta
Nov 17 · 2 min read

Today I want to share with you a Privilege Escalation chain with Blind XSS which I found in private site. In this write-up, I will explain how I found Privilege Escalation and methodologies.

Before starting the vulnerability exploitation part let me give you some information regarding the target application. I was invited to a private program, were one of the target website let’s say “ example.com ” had a subdomain “xyz.example.com” has the functionality of selling books, newsletters online. before starting actual testing on this subdomain I perform some recon on this subdomain like directory search, Nmap, Wayback, etc. during directory search I found interesting directory i.e cAdmin.asp with 301 status code. I open this directory “https://xyz.example.com/cAdmin.asp” and I will be redirected to log in page “https://xyz.example.com/login.asp”.I think I need admin credential to get access to this directory

after some time I open this URL(https://xyz.example.com/cAdmin.asp) in my chrome browser with a normal user session and I got a forbidden message on my screen But after scrolling, I got four buttons on my screen admin.asp, addresses.asp,Cpanel.asp,store.asp.In this four-buttons only addresses.asp when I click on this button I successfully enter into an administrator menu

administrator menu

After getting this I can able to access only the address functionality of the administrator.so go into “view addresses”

view addresses

I can able to update, remove any user's address. for testing purposes, I update the address of my other account with an XSS payload and when I log into my second account this XSS payload fired. reverse action also possible, from a normal user account add an address with XSS payload and go into the Administrator menu and XSS payload fired.

so we can able to steal the cookie of any user from the administrator menu with XSS and from a normal user account steal cookie of administrator with XSS.

Thanks to;

Bugcrowd team for allowing disclosure of this issue.

Hritik sharma for his writeup about privilege escalation

Timeline

23rd Sept: Initial discovery.

24th Sept: triage by bugcrowd team

16th Oct: $xxxx bounty rewarded.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade