How I was decrypting the traffic and getting from low privilege user to full admin access
Hi Hackers My name is Ahmed Mosaa, Cyber Security Engineer, and this engagement has been done in government sector. In this article, I will explain how I got full privileges from a low privileges user after decrypting the traffic, and let’s start.
During the test and use burp as usual, I found that all information sent or received is encrypted, as shown.
I can’t edit anything in a request or response, but how I wrote clear text, and it was converted to encrypted text before submitting it to the server. And when the browser received the encrypted data, the text was a clear text, so the encrypt and decrypt functions must be on the client side, and this is the big challenge to me because I have a lot of JS files and JS miners don’t get any useful things, so I decided to debug the JS code until I got the functions.
Very hard challenge, but after some digging in the JS code, I got the functions (Nice Catch).
Great, then I wrote a PHP script to encrypt and decrypt because I don’t have enough time to write a burp extension.
At this point I could decrypt the traffic and edit it, then re-encrypt again.
Now during the test, I have two accounts (admin, user). The admin could do some of the actions the normal user can’t do, like access users, edit their information, and delete any user and mush more, and to make sure the user doesn’t have those permissions, you can see the image below:
Nice. Now I will open the user account, and I will try to access the users section by adding /settings/users as like in the admin account.
Okay, when I was logging in to the application, I was found in the response permissions section.
In the error message, I saw VIEWUSERS, so I take this key and encrypt it using the PHP script I created, and I add the encrypted value in the permissions section of the response, as shown in the image below:
VIEWUSERS: 5lAvsPK4kpc0+DFtVgMF0g==
DELETEUSERS: v8sxsDXjbhobTYTMFd2iWg==
EDITUSERS: hN+yoZycPmSRaPByAg3s8A==
And as you expected, I escalated my privilege and access to the users and could take any action I wanted on them.
This admin User.
And this non admin user 😂
And during the test, I assigned all privileges to me.
And that’s it
وفي الاخر حابب اقول سُبۡحَٰنَكَ لَا عِلۡمَ لَنَآ إِلَّا مَا عَلَّمۡتَنَآۖ إِنَّكَ أَنتَ ٱلۡعَلِيمُ ٱلۡحَكِيمُ
