🟩Easy $$$ from PrivEsc: Hacking the Hidden Feature
Exploiting PrivEsc to access hidden features and send invite emails using a low-privilege account.
Hello, friend! This is mrhashimamin
. And I’m back today with a new write-up for you, ma amigo <3. PrivEsc is easier than you think—it really is.
So, let’s get to it. After the journey in my last write-up, I navigated to a new public bug bounty program on Bugcrowd (not this one; just updating you). I found some PrivEscs on that scam program, but it doesn’t matter—I really learned a lot.
After that, I shifted to another public program. Let’s call it amazing-school.com
.
A basic school app with roles (teacher, student [adult, child]) and permissions. But I’m not diving deep into that—I'm here to share a PrivEsc
that took less than an hour using the app as a real user.
The key tip here is to use the app with all its roles
for a while as a real user
. See what each role can and can’t do (based on the UI, of course, if there’s no documentation to help).
I realized that adults and teachers
can share class materials
via [invite links & email invites], while child accounts can’t use this option (email invites
) through the UI
. So, let’s fire up your lovely Burp Suite
and check the backend.
Steps
Log in as an
adult or teacher
and send the invitevia email
.Re-use this request using the
child account cookies
, and voilà—there’s no backend role validation for this endpoint.

Impact?
Since it’s a school
with the roles I mentioned, a child
account can bypass role-based access control
. This could lead to spam and other issues with a P4
impact, xD.

Remember, this isn't the best PrivEsc
you'll find, but it’s one of the easiest to apply (just replace the cookies and try your luck)!
That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>
Last updated