Day 10/100 Hack and Improvement

2 minute read

Achieving today 10% of our goal of #100daystohackandimprove, day 10 comes with topics such as Remote Code Execution (RCE), and privilege escalation in web applications.

Privilege Escalation

From Rajesh Ranjan, Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Vertical Privilege Escalation

If a user can gain access to functionality that they are not permitted to access then this is vertical privilege escalation. For example, if a non-administrative user can in fact gain access to an admin page where they can delete user accounts, then this is vertical privilege escalation.

nmap scan

Horizontal privilege escalation

Horizontal privilege escalation arises when a user is able to gain access to resources belonging to another user, instead of their own resources of that type. For example, if an employee should only be able to access their own employment and payroll records, but can in fact also access the records of other employees, then this is horizontal privilege escalation.

Example:

https://insecure-website.com/myaccount?id=123

Now, if an attacker modifies the id parameter value to that of another user, then the attacker might gain access to another user’s account page, with associated data and functions.

Source Portswigger

HackerOne Reports

  1. https://hackerone.com/reports/605720
  2. https://hackerone.com/reports/544928
  3. https://hackerone.com/reports/261285

Remote Code Execution

From Sam (CoffeeJunkie), This kind of vulnerability occurs when an application uses user-controlled input without sanitizing it. There are two ways to execute remote code execution which are executing shell commands and executing functions in the programming language that the vulnerable application user relies on.

Executing Shell Commands

If the application doesn’t sanitize its input, you can execute shell commands which will give access to operative system services.

Executing Functions

There is a way to perform RCE by executing functions according the programming language that the website has been developed.

Strategies for escalating remote code execution

There is a way to escalate remote code execution vulnerabilities by from executing functions can get executed shell commands in the application, which can compromise the whole system. Depending on the system, the attacker might have access as the local user of the target machine, but there will need some kind of privilege escalation with SUIDs and Kernel exploits depending the type of server version and operative system.

Write Up and Explanation

ALGOLIA RCE ON FACEBOOKSEARCH.ALGOLIA.COM

The attacker has been looking how the web application connects and how the cookies are working in the website. He realize part of the cookies were CookieStore as the session storage, that meaning that the attacker can craft any cookie that will then be accepted in the server. The attacker used the tool GitRob in order to extract interesting findings from different kind of repositories which contended secret tokens, those repositories never have to be public. Then the attacker used metasploit to use deseralization and obtain code execution.

Conclusion

This time, the topic were two big vulnerabilities that can cause negative effects in different kind of companies which will impact the costumers as well, such as web app privilege escalation and remote code execution.

Leave a comment