Day 33/100 Hack and Improvement

1 minute read

Day 33 comes with Privilege Escalation for JWT and LFI potentialities!

Privilege Escalation in JWT

From Rajesh Ranjan. In this writeup, the researcher has explained that, how he was able to escalate the privilege, and gained access to Admin level user. The website was using JWT, checkout the writeup here.

LFI and potentialities

From Sam (CoffeeJunkie). After spending a good one year and a half in Hack The Box and rooting more than 60 boxes, there were pretty interesting vulnerabilities such as Local File Inclusion (LFI), in the target machine seemed simple due to the lack of firewalls and complex security that companies in the real world have. Then, moving to a real world testing and practicing in Bug Bounty programs, it feels like crashing your face to the wall at the time to try to attack them with these kind of vulnerabilitites. That is why today I came up with some LFI reports which shows how attackers accomplished such attack.

Reports and thoughts

LFI with Potential RCE in DoD (Department of Defense)

The attacker found an interesting parameter in the following content:

{"contentId":"12345","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=wHEHYJpCkpg","width":"300","height":"200","_template":"file://../"}}}

As you can see, the parameter _template: is the one with the LFI vulnerability, which can be accomplish with the following manner.

"_template":"file://../"

Local file inclusion at IKEA.com

The attacker found a place where a product list is generated with a PDF, and also it can be emailed to the attacker’s email. In this case, the way how the PDF is generated will disclose the vulnerability in the paremeters sent in the HTTP request. In this case, the attacker saw the parameter pdf which was base 64 encoded with the the following template, this is what the attacker added to the template in order to get the LFI vulnerability.

<annotation file=\”/etc/passwd\” content=\”/etc/passwd\” icon=\”Graph\” title=\”Attached File: /etc/passwd\” pos-x=\”195\” />

Leave a comment