Day 33 comes with Privilege Escalation for JWT and LFI potentialities!
Privilege Escalation in JWT
From Rajesh Ranjan. In this writeup, the researcher has explained that, how he was able to escalate the privilege, and gained access to Admin level user. The website was using JWT, checkout the writeup here.
LFI and potentialities
From Sam (CoffeeJunkie). After spending a good one year and a half in Hack The Box and rooting more than 60 boxes, there were pretty interesting vulnerabilities such as Local File Inclusion (LFI), in the target machine seemed simple due to the lack of firewalls and complex security that companies in the real world have. Then, moving to a real world testing and practicing in Bug Bounty programs, it feels like crashing your face to the wall at the time to try to attack them with these kind of vulnerabilitites. That is why today I came up with some LFI reports which shows how attackers accomplished such attack.
Reports and thoughts
The attacker found an interesting parameter in the following content:
As you can see, the parameter
_template: is the one with the LFI vulnerability, which can be accomplish with the following manner.
The attacker found a place where a product list is generated with a PDF, and also it can be emailed to the attacker’s email. In this case, the way how the PDF is generated will disclose the vulnerability in the paremeters sent in the HTTP request. In this case, the attacker saw the parameter
<annotation file=\”/etc/passwd\” content=\”/etc/passwd\” icon=\”Graph\” title=\”Attached File: /etc/passwd\” pos-x=\”195\” />