Add new user with Admin permission and takeover the organization
Target : redacted.com
Recently i joined a private program and i asked them for two testing accounts ( Admin — user )
Next day i received an invite to redacted.com and they told me they can’t provide an account with admin permission , i’m only allowed to test with a low user account.
So i go to the website and login to the application but i didn’t find anything interesting
the low user can only view pages and no functions to test except a file upload function which only accept PDF formats.
Now i need to test the Authorization functions but i don’t have admin account, also their is no API documentation so i can figure out what is the admin endpoints.
The rule is “ if there is an admin user so for sure there is an admin endpoints”
Without admin account and without API documentation available The only way here is to guess the admin endpoints
and from my previous experience i know that there is a lot of endpoints that can belong to the admin but the most popular one is the one which disclose the user information
This endpoint can be in the following formats :
/api/v2/member/
/api/v2/members/
/api/v2/users/
/api/v2/user/
So i quickly go to burp suite to get any API request so i can play with it
i changed the endpoint from /api/v2/search/suggestion/counterparty/ to /api/v2/members/ == 404
api/v2/users== 404
api/v2/user == 405
So when sending a GET request to non-existing endpoint it give 404 but when requesting an existing endpoint we got a different response. (405 the method is not allowed )
Now i changed the the request method from GET to POST
The server tell us that he missing some parameters in body request
As you know , because we play with API’s endpoints so the data will be in JSON format
So i changed the content type to JSON and insert the parameters which is missing as shown below
well there is another missing parameter “client” for the first time i thought this parameter controlling the user permission, so i entered a test value and it give me an error
i change the value from string to integer
Great, the user has been created
i opened another browser and trying to reset password for the new account but i didn’t receive the reset password email
after some time i found that the “client” parameter was controlling where to create this user
So i send the request to burp intruder and then i configure it to brute force the client param from 1 to 100
and the result as follows
so the request succeeded in the above id’s so i go again to the browser and send a reset password request to my new account and i got the reset password email after 1 min and then i logged in to the application
“Let’s takeover the organization”
i told myself to be quit and don’t submit this now, what if i can add new user with admin permission ?
may be there is a parameter that can control the user permission
For my luck , all what i did is add new parameter to the request which is “role” with “admin” value ( “role”=”admin” )
and guess what ? the request succeeded and when i login with the new account i found myself has admin permission on the organization
i hope you find anything useful after reading this :)
