On this page
Method-Based Access Control Can Be Circumvented
Lab
Method-based access control can be circumvented · Apprentice
Solution
Given
This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
Analyzing the task
We need to familiarize ourselves with how the admin panel works and find a vulnerability that lets a regular user escalate to administrator privileges.
Recon
Let's log in and see how the admin panel works. We see an «Admin panel» link. There's a user selector and 2 buttons — essentially «Make admin» and «Remove admin». Let's try making wiener an admin and then removing the admin role.
The request:
POST /admin-roles
username=wiener&action=upgrade
And the variant with action=downgrade.
Let's log in as wiener and run this privilege escalation request — «Unauthorized».
We try changing POST to GET — «Missing parameter 'username'». Oh, let's pass the parameter in the URL then:
GET /admin-roles?username=wiener&action=upgrade
Worked! Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.