🟩Easy $$$ from PrivEsc: Hacking the Hidden Feature

Exploiting PrivEsc to access hidden features and send invite emails using a low-privilege account.

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3. PrivEsc is easier than you think—it really is.

So, let’s get to it. After the journey in my last write-up, I navigated to a new public bug bounty program on Bugcrowd (not this one; just updating you). I found some PrivEscs on that scam program, but it doesn’t matter—I really learned a lot.

After that, I shifted to another public program. Let’s call it amazing-school.com.

---

A basic school app with roles (teacher, student [adult, child]) and permissions. But I’m not diving deep into that—I'm here to share a PrivEsc that took less than an hour using the app as a real user.

The key tip here is to use the app with all its roles for a while as a real user. See what each role can and can’t do (based on the UI, of course, if there’s no documentation to help).

I realized that adults and teachers can share class materials via [invite links & email invites], while child accounts can’t use this option (email invites) through the UI. So, let’s fire up your lovely Burp Suite and check the backend.

Steps

1. Log in as an adult or teacher and send the invite via email.

2. Re-use this request using the child account cookies, and voilà—there’s no backend role validation for this endpoint.

Impact?

Since it’s a school with the roles I mentioned, a child account can bypass role-based access control. This could lead to spam and other issues with a P4 impact, xD.

---

Remember, this isn't the best PrivEsc you'll find, but it’s one of the easiest to apply (just replace the cookies and try your luck)!

---

That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>