Multi-Step Process with No Access Control on One Step

Lab#

Multi-step process with no access control on one step · Apprentice

Solution#

Given#

This lab has an admin panel with a flawed multi-step process for changing a user's role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

Analyzing the task#

There's an admin panel with a vulnerability in the user role change process. We need to see how the admin panel works (we're given creds). And, logging in as wiener, exploit the vulnerability and escalate to administrator privileges.

Recon#

Let's look at the admin panel. There's a user selector, the selected user can be made admin. You can also demote from admin.

We selected a user, clicked make admin:

POST /admin-roles
username=carlos&action=upgrade

We got HTML in response — a confirmation page for the action. If we click «Confirm»:

POST /admin-roles
action=upgrade&confirmed=true&username=carlos

As we can see, the parameter confirmed=true is added here. As I see it, this second request is exactly the one that's vulnerable. But let's check both steps.

Log in as wiener and try calling POST /admin-roles without the confirmed parameter, then with it. 2 payload variants:

POST /admin-roles
action=upgrade&username=wiener

POST /admin-roles
action=upgrade&confirmed=true&username=wiener

First payload — «Unauthorized». Second — success.

Lab solved.