User role controlled by request parameter

Taji AbdullahTaji Abdullah
3 min read

Intro

This lab got me back to things I learned during TryHackMe’s Advent of Cyber 2024 event. Using the Repeater and Proxy Intercept in Burp Suite. I also was able to take things a little bit further with cookie manipulation. This made privileged escalation possible and I was able to enter the admin panel and delete a user.

So lets get into it!

The Lab

Solving this lab requires gaining access to the admin panel and again deleting a user named Carlos(I don’t know why we don’t like Carlos).

The Analysis

  1. Unlike the previous labs, the reading materiel prior to this lab didn’t immediately have any clues that stood out to me.

    The lab instructions mentioned gaining access with a forge-able cookie so I went into my Kali VM and opened the lab web page in the Burp Suite browser, this can be seen in the above screen shot.

    I wanted to capture the cookie upon login, the credentials were provided for a user:

    wiener:peter

    So I logged in as wiener with the password peter:

  2. One I was logged in I turned on the Intercept under Burps Proxy tab and refreshed the web page to capture the cookie:

    Its extremely tiny, but in the screen shot on line 3 is the captured cookie info. It has an admin boolean value as false.

  3. I edited the value and set it to true directly in the request on line 3:

  4. I then sent the edited request to the repeater and was able to see a successful login.

    %[https://youtu.be/gfXTcrxgNxY?si=MLML3B7tT2MlopA1]

    I just realized I should have shown a successful login before I edited the boolean value in the cookie, this would have shown the logged in user without having access to the admin panel.

    1. Ok, so I have admin access, privilege escalation has been achieved! Now its time to get rid of Carlos. To do this, I navigated to the admin panel:

  5. I hit the delete button for Carlos and intercepted the request:

  6. I once again modified the cookie boolean value changing it to be true instead of false:

  7. This allowed to to successfully delete the user account despite not actually have admin rights. And the lab was solved:

What I learned

  • I learned how to modify info contained inside a cookie.

  • I learned what manipulating cookie data looks like from an attackers perspective, having some web development experience in my background.

  • I learned that I should better document a successful login prior to privileged escalation.

  • I should try to figure out if its possible to streamline this workflow, maybe the steps could be reduced?

  • More hands on experience working with Burp Suite to build up muscle memory for it.

0
Subscribe to my newsletter

Read articles from Taji Abdullah directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritycybersecurityweb appweb app testingWeb App SecuritylabWrite Up

Written by

Taji Abdullah
Taji Abdullah