How I earned $500 bounty for privilege escalation vulnerability !!

Hello h4ckers, One fine day I got a program to hunt on from my friend, I have read the scope and started manually to visit the in-scope domains. Their paid product is a billing software for businesses — In simple words we can use this for managing customers, invoice, subscriptions etc.. We can sign up for a free trial version for 2 weeks. Lets assume the target as redacted.com as the bug is not yet patched.

After signing up for a trial account, I started exploring the features. We can invite other users with different roles assigned to them. Apart from predefined roles (Administrator, Customer_manager, Accounts_manager) we can also create custom roles with specific set of permissions.

Example : “ custom_role1 ” with the permission “create_invoice” and “Delete_invoice”

I invited few users by assigning them predefined roles (Administrator, Customer_manager, Accounts_manager) and tested for broken access control issues and other session handling issues. However I didn't find anything in these areas. So from the main admin account I deleted all the invited users and I found something fishy here. In the users endpoint www.redacted.com/company/users all the users will be listed with their IDs . The ID starts from 1 and goes on. So id 1 is for the admin account, id 2 for the newly invited user and so it goes on.

When we click on any user on this endpoint www.redacted.com/company/users, we can edit their profile and the URL will be like : redacted.com/company/users/edit/<id> . If I am editing user 2 then the URL will be redacted.com/company/users/edit/2 . What I did is, I deleted user 2 and I tried to access his profile through this URL redacted.com/company/users/edit/2 which should not be possible because his profile has been deleted. But I was able to access his profile. After finding this flaw at 3 AM , somehow I have to create an impact here to report this as a bug.

While playing with the ID values on redacted.com/company/users/edit/<id>, I found something weird — As I said before, the id value for users starts from 1 and goes on. I tried changing the id value to 0 on this edit user endpoint redacted.com/company/users/edit/0 which showed me an empty profile with all the fields with no value. Here I filled up the values Name, Email, Role and other details and I clicked on SAVE . Immediately a new user profile has been created and the email invite has been sent.

I didn’t expect this to happen because I am able to create and invite a user from an redacted.com/company/users/edit/ endpoint which is only for editing already existing users. Again what is the impact here.. NOTHING!!! Have I reported it ? NO I was like, I need something much bigger and bigger.

After running many possibilities inside my head, I got an idea to exploit this flaw.

Create a “ Custom Role ” with this permissions “View Users” & “Edit users” . lets call it as “ custom_role1 ”Invite a new user (user2) with the above created custom role assigned to him. So this user2 only have permission to View and Update the existing users. He doesn't have permission to create a new user.Now, Accept the invite and Login as User2, and visit the user endpoint where all the users will be listed redacted.com/company/users .Click on any user to edit their profile and the URL goes like: redacted.com/company/users/edit/<id> Now we apply the flaw which we found earlier -> change the id value to 0 so that we can access the empty profile.As said, changing the id parameter to 0 displayed the empty profile. okayyyyy… almost done . I filled up the details Name, Email and other info. One important thing is, while filling up this empty profile, there is an option to assign the ROLES . I have assigned “Administrator” role to increase the impact.Finally, I need to click on SAVE . Now 2 things can happen, either I will be able to create a user or I will get 403 Forbidden error. When I clicked on SAVE , Booom !! A new user profile has been created and the invite has been sent on to the new user on email.

7. From the invite received, the new user is able to sign in as administrator and take full control of the dashboard.

A low privileged user who has only “View user” & “Update user” permission is able to create an user with Administrator role by escalating the privilege due to a flaw in edit/user endpoint which resulted in complete takeover of the organization dashboard.

Takeaway : When you find a flaw or a functionality issue, dont report immediately. Take some time to think on how to increase the impact and severity of the flaw you found.

This is my 1st writeup and I hope you loved it! :)

Severity: High & Bounty Awarded : 500 USD

Thanks for reading, and see you soon for a new adventure.

Contact :

LinkedIn : https://www.linkedin.com/in/mohankumar007/