Privilege Escalation

1,903
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,903
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privilege Escalation

  1. 1. Privilege Escalation Issue
  2. 2. Nothing but a login
  3. 3. Identified a Main.js file
  4. 4. With some admin URL’s <ul><li>https://www.site.com/Secure/Admin/AdminNewUser.aspx?user_id=spidynamics&pwd=pass </li></ul>
  5. 5. A 302 to an inside page <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-Powered-By: ASP.NET </li></ul><ul><li>Location: /Secure/ViewSystemMessage.aspx?id=47 </li></ul><ul><li>Connection: Keep-Alive </li></ul><ul><li>Content-Length: 121 </li></ul><ul><li>Content-Type: text/html </li></ul><ul><li>Cache-control: private </li></ul>
  6. 6. Then get redirected again to a login
  7. 8. Let’s try accessing the admin functions <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=spidynamics </li></ul>
  8. 10. <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=2 </li></ul>
  9. 11. <ul><li>UID field cycles thru each user </li></ul>
  10. 12. <ul><li>UID 3 is now another user </li></ul>
  11. 13. <ul><li>By incrementing the UID field to 183 – we identified our user id. </li></ul>
  12. 14. <ul><li>Clicking ‘Edit’ allowed us to set our user role to administrator </li></ul>
  13. 16. <ul><li>By looking at the existing admin page names we knew about. A guess for the filename of admindefault.aspx turned up successful in the admin directory </li></ul>
  14. 17. <ul><li>When clicking on the URLs though it gave us a 404 </li></ul>
  15. 18. <ul><li>So we started guessing – maybe it needs to be a .aspx extension? </li></ul>
  16. 19. Success –just try adminusers.aspx

×