· What is Privilege escalation:
Accessing those resources for which user do not have authorization by escalating the privilege comes under Privilege escalation.
There are multiple ways to achieve this such as by modifying user, directly accessing URL. Ultimate goal of attacker is to access sensitive data, API tokens, bypassing user controls or performing any malicious actions. It has two types:
i. Horizontal Privilege Escalation: If user accesses the resource of the another user who have same level access rights then its known as the horizontal privilege escalation.
As User ‘A’ can take privilege of User ‘B’.
ii. Vertical Privilege Escalation: If a user accesses the information which of a user who has more privilege then him mostly root (admin) privilege then this is known as the vertical privilege escalation.
As “normal user” can take privilege of “admin”.
· Why privilege escalation occurs ?
There are many reasons behind it. Let me focus on some:
i. Weak access control: Access control tells us who we are such as if we are admin then we have admin authorization but due to weak access control on the endpoints, we can access admin role.
ii. Social engineering place a very important role in it. To search users who can be exploited with privilege escalations and after searching they try to escalate privilege.
We have an application that has two users normal and admin user. So we only have the access of the normal user we need to escalate our privilege in order to access the admin.
If we Intercept the login request, we can see the CSRF token with credentials.
In addition, all these parameters are compulsory we cannot send them blank or modify username to “
administrator” it gave me error of invalid credentials. So here
After logging in to the application we have “Change password” functionality.
Intercepting this request
If I modify the username to ‘
administrator’ and leave rest field as it is.
The application says
So lets try to remove the current password field from the request and see that happens.
As soon as I modified and forwarded the request the password got successfully changed.
Lets try to login with the username administrator with the password we just entered to see whether we were able to escalate the privileges or not.
As I logged in with the username administrator with the password I used while changing, I can login with admin and can access the admin panel as well.
i. Set good policy for access controls.
ii. Follow least user privilege policy. No need to give too much right to every user.
iii. Do not set default credentials for the access.