Page cover

🟧I'm in love with Privilege Escalations!

A simple P3 privilege escalation that allowed me to expose private chat content to any member.

Hello, friend! This is mrhashimamin. And I’m back today with a new write-up for you, ma amigo <3.

Alright, let’s get to it. This is about a bug I found in the scam program I mentioned in my last write-up. Finally, after 25 fkn days (and after it's been accepted), they paid me xD.

team-manager.cloud

Okay, let’s call it team-manager.cloud. It’s an application for teams to manage their work activities (e.g., tasks, reports, communication, etc.). It includes teams, and within those teams, there are chats—some public, some private. There are also a ton of user roles and permissions (a goldmine for a logic bug lover).

And here’s tip.1: Always choose a big app with lots of functions, roles, and permissions.

Today’s write-up is about the chats. While testing the chat functionality, I discovered that, as a member-role user, I could create both private and public chats.

After creating both, I inspected the request and noticed that the application refers to the privacy of public chats as O and private chats as P.

public
private

I made sure to note that down so I wouldn’t forget (this is all part of real user testing/crawling—I’m just using the app and taking notes that might help later).

After using the app for a few hours like a normal user, I thought, why not try some basic privilege escalation tests? I hopped into the admin account, messed with some permissions, and then tried accessing them using the API through my Burp Suite.

While checking the chat permissions, I saw that the admin can let members turn public chats into private ones. So, I turned that permission off and tried doing it with the attacker’s (member-role) cookies. As expected, it gave me a 403 error.

So, I went back to the permissions again and noticed there wasn’t a similar permission for converting private chats to public. That got my attention, so I turned to the most useful thing when testing for logic bugs and access control issues—the docs!

There's no Convert permission in the private chats

Here’s tip.2: Always check the docs. I seriously read through a ton of them when I start hunting on a new program.

I started searching for anything about converting private chats to public, and bam—I found my bug!

from the docs

The docs said, 'No fkn way you can convert private chats to public—not even the admin can give you that permission for security reasons.' So, I went back to the request that converts public chats to private and took a closer look.

converting to private

Hmmmm, yeah, absolutely! I changed the privacy parameter from P to O, trying to convert a private chat to a public one... and it worked!

converting to public

Impact?

As the docs showed, the impact was straightforward: a privilege escalation that bypassed admin restrictions for this role, exposing private chat content.


That's the story for today. I hope you find this write-up useful. Thanks, and keep hacking 3>

Last updated