Hi Fellow Hunters, Hope you are doing well and taking care of your health, this side V3D. I want to write a quick write-up with my friends Anuj (whhackerbsac) and Manav (A_s_h_hunter) on our recent findings. Which is a “Lower Privilege Admin Can Delete Super Admin and Takeover The Workspace”.

Note: It’s a private Bug Bounty Program, so I can’t disclose the program name, let’s consider this as REDACTED.COM

Without any further ado... Let’s Start.

During my hunting on this program, I see there is team functionality, and it’s one of my favourite bug to check, so quickly I created “Account A” and its super admin account. While inviting another user I came to know there are 3 different roles, which are:

Admin
Read-Write
Read-Only

Admin: Admin has all privileges like creating any task, deleting a task, invite other user but admin don’t have the privilege to delete or remove Super Admin

Read-Write: In this role, user have privilege like create tasks, and delete task but don’t have privilege to invite any user

Read-Only: In this role, user have only read privilege

Hope you understand the Role’s privilege

It’s time to check the functionality

User A, invite User B as a Admin role
User B accept the invitation, but he/she doesn’t have the privilege to delete “User A/Super Admin”

Let’s exploit it

User B, Invite User C as a Read-Write role
Now User B try to delete/remove User C

So the delete request looks like this

DELETE /workspace/workspaceID/users/userID
Host: api.redacted.com

Note: UserID is alphanumeric and not guessable

So now you think it’s easy to get UserID, but it’s not easy I check all the endpoints but I can’t find any endpoint where I got the other user’s UserID.

Don’t Give Up

So change the User C role from Read-Write to Read-Only and the request looks like

POST /workspace/workspaceID/updateUser/userID
Host: api.redacted.com

So I change this request with the following GET request

GET /workspaces/{Workspace_ID}/settings
Host: api.redacted.com

From here we can get all the workspace members’ UserID (Super Admin, Admin, Read-Write, Read-Only).

Now we have Super Admin UserID which is “User A”.

Now try to Delete the “User C Read-only” user and intercept this request in the burp suite.

Change Read-Only UserID with Super Admin UserID and forward the request

Super Admin Deleted Successfully,
Try to refresh the super admin page and account logout and deleted successfully.

I quickly reported the issue and the team triaged it immediately but the severity is set to P3 by the team, I explained the severity clearly to the team but they said: “Our CVSS evaluation ratifies the severity awarded as P3”.

Tip: Never Forget To Check Functionality, there is a huge scope for finding bugs in Functionalities

Hope you learned something new. If you liked the write-up give it a clap and follow us on Twitter V3D , Anuj , Manav

Timeline:

Report Sent: 11 December 2022
Bounty Awarded($$$): 29 Dec 2022