Add new user with Admin permission and takeover the organization

Tarek Mohamed
Sep 4, 2019 · 4 min read

Target : redacted.com

Recently i joined a private program and i asked them for two testing accounts ( Admin — user )
Next day i received an invite to redacted.com and they told me they can’t provide an account with admin permission , i’m only allowed to test with a low user account.

So i go to the website and login to the application but i didn’t find anything interesting
the low user can only view pages and no functions to test except a file upload function which only accept PDF formats.

Now i need to test the Authorization functions but i don’t have admin account, also their is no API documentation so i can figure out what is the admin endpoints.

The rule is “ if there is an admin user so for sure there is an admin endpoints”

Without admin account and without API documentation available The only way here is to guess the admin endpoints
and from my previous experience i know that there is a lot of endpoints that can belong to the admin but the most popular one is the one which disclose the user information

This endpoint can be in the following formats :

/api/v2/member/
/api/v2/members/
/api/v2/users/
/api/v2/user/

So i quickly go to burp suite to get any API request so i can play with it

Image for post
Image for post

i changed the endpoint from /api/v2/search/suggestion/counterparty/ to /api/v2/members/ == 404

Image for post
Image for post

api/v2/users== 404

Image for post
Image for post

api/v2/user == 405

Image for post
Image for post

So when sending a GET request to non-existing endpoint it give 404 but when requesting an existing endpoint we got a different response. (405 the method is not allowed )
Now i changed the the request method from GET to POST

Image for post
Image for post

The server tell us that he missing some parameters in body request

As you know , because we play with API’s endpoints so the data will be in JSON format
So i changed the content type to JSON and insert the parameters which is missing as shown below

Image for post
Image for post

well there is another missing parameter “client” for the first time i thought this parameter controlling the user permission, so i entered a test value and it give me an error

Image for post
Image for post

i change the value from string to integer

Image for post
Image for post

Great, the user has been created
i opened another browser and trying to reset password for the new account but i didn’t receive the reset password email

after some time i found that the “client” parameter was controlling where to create this user
So i send the request to burp intruder and then i configure it to brute force the client param from 1 to 100
and the result as follows

Image for post
Image for post

so the request succeeded in the above id’s so i go again to the browser and send a reset password request to my new account and i got the reset password email after 1 min and then i logged in to the application

“Let’s takeover the organization”

i told myself to be quit and don’t submit this now, what if i can add new user with admin permission ?
may be there is a parameter that can control the user permission

For my luck , all what i did is add new parameter to the request which is “role” with “admin” value ( “role”=”admin” )
and guess what ? the request succeeded and when i login with the new account i found myself has admin permission on the organization

i hope you find anything useful after reading this :)

https://twitter.com/Conan0x3

https://hackerone.com/co0nan

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store