Horizontal to Vertical Privilege Escalation

Intro:

This type of escalation is a combination of both horizontal, and vertical privilege escalation. First, an attacker gains access to an standard account without any administrative privileges. After accessing the standard account, the attacker will then move to the second step, which is vertical privilege escalation. Through this attack, the attacker can access the administrator account, gaining access to more critical functionality.

The lab:

In the lab description, the attacker can access a standard user account using parameter tampering technique as horizontal privilege escalation. The attacker can then use similar technique in order to perform a vertical privilege escalation attack to gain access to the administrator account.

The goal of the lab is to retrieve the administrators password and use it to access the admin panel to delete the specified user. Another standard user account credentials is provided as well.

The lab starts begins with default starting page.

Login using the credential already provided

And here is the standard user account.

If the URL for the current user is examined, the ID parameter displays the current user

Using this information, upon changing the value of the ID parameter to administrator, the administrator account can be accessed with restrictions.

In order to find out the administrator password, the inspect element feature can be useful.

Using the inspect element feature in the password block, the HTML of the webpage can be viewed, and within the HTML, the password can be seen in plaintext.

The next is just a matter of copy pasting the adminstrator credentials into the login screen

Once logged in, the administrator panel is accessible.

Upon accessing the admin panel, the target user can be deleted,

thereby completing the lab