From Stack Trace Laravel Leads to Privilege Escalation [Admin]
Hi!, In this Article I will only tell a little about the findings that I think are interesting to be used as stories on my medium.com xD
Note : I found this attack on one of the Vendors and of course I will censor :)
Description
Stack Trace Laravel : For this Stack Trace I found when I couldn’t access a certain page, And got an error response.
Privilege Escalation [Admin] : In this case I take advantage of the “Select Level” parameter which previously only “Users” can be changed to “Admin”
Reconnaissance Get “Mysql DataBase User/Pass”
After I do Recon I get one EndPoint and I get Error like “InvalidArgumentException” > “View [auth.xxxxxxxxx] not found.”
“xxxxxxxxx” = Path
Login to MySQL
After I get the Username and Password for this MySQL, I try to login using Command
“mysql -h host.com/IP -u User -p”
After logging in I also tried to create a new database here, and it worked.
Crack Password Using “John The Ripper”
After getting the name of the database used, then I tried to look at the Tables to get the User Credentials and Passwords used on this Website
Note : The “Pwnd” table is a table that I created myself when I checked whether I could add a table too or not.
Here I get the “muser” table which contains the Username and Password that will be used to login to the Website
I get a lot of Username and Password and also the Level of the User, There are 3 levels, namely (User, Manager, and Admin)
But for Password here there is something like “Bcrypt” hash ?
And I save all these hashes into a “hash.txt” file which I will crack later using the “John The Ripper” tools
(https://github.com/openwall/john)
I run this tool using Command
“john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt”
For Wordlists I use “Rockyou.txt”, And I get the Password
Privilege Escalation [User to Admin]
After I successfully login to one of the users, here I only get “Manager” access permission not “Admin”, Seen because of the lack of Menu that I got
After I access the “Management User” menu there is an “Add User” feature
I tried to add my account just “hackforfun” but there we can only add it as “User”
Then I tried to enable Intercept in my Burpsuite, And I found an interesting parameter in my opinion.
I get parameter “select_level” which contains user, Can I Tampering on this Parameter? YESSSSSSSSSSSS YOU CAN!!!!!!! XD
I again checked the levels in the “Muser” Table and there is an “Admin” level for the highest permissions.
I did a User Edit on the user I created earlier, And I enabled Intercept too in BurpSuite
I changed the value of the “select_level” parameter from “User” to “Admin”
After I looked back, My User disappeared from his place!
I then checked back on Tables “muser” and my User became level “Admin”!!!!
Login to my user and BOOOOMMM!!! I can access Anything~
Reference
Follow Me
Thanks!