Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privilege Escalation


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Privilege Escalation

  1. 1. Privilege Escalation Issue
  2. 2. Nothing but a login
  3. 3. Identified a Main.js file
  4. 4. With some admin URL’s <ul><li> </li></ul>
  5. 5. A 302 to an inside page <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-Powered-By: ASP.NET </li></ul><ul><li>Location: /Secure/ViewSystemMessage.aspx?id=47 </li></ul><ul><li>Connection: Keep-Alive </li></ul><ul><li>Content-Length: 121 </li></ul><ul><li>Content-Type: text/html </li></ul><ul><li>Cache-control: private </li></ul>
  6. 6. Then get redirected again to a login
  7. 8. Let’s try accessing the admin functions <ul><li> </li></ul>
  8. 10. <ul><li> </li></ul>
  9. 11. <ul><li>UID field cycles thru each user </li></ul>
  10. 12. <ul><li>UID 3 is now another user </li></ul>
  11. 13. <ul><li>By incrementing the UID field to 183 – we identified our user id. </li></ul>
  12. 14. <ul><li>Clicking ‘Edit’ allowed us to set our user role to administrator </li></ul>
  13. 16. <ul><li>By looking at the existing admin page names we knew about. A guess for the filename of admindefault.aspx turned up successful in the admin directory </li></ul>
  14. 17. <ul><li>When clicking on the URLs though it gave us a 404 </li></ul>
  15. 18. <ul><li>So we started guessing – maybe it needs to be a .aspx extension? </li></ul>
  16. 19. Success –just try adminusers.aspx