I recently stumbled upon a fascinating issue while testing Examosis, an educational platform. This issue allowed low privilege users,students, to delete documents and items they weren’t supposed to delete only administrators should have the privilege to delete content.
Understanding Target (Examosis)
Examosis[virtual name to prevent the identity of private name], it’s an online learning platform widely used in educational institutions, particularly in the healthcare field. Examosis provides students and educators with a comprehensive set of tools and resources to enhance the learning experience.
What’s Privilege Escalation?
Think of privilege like keys to different rooms in a building. Imagine you have a key to your room, and your teacher has a key to the classroom. But one day, you somehow get a key that can open all the rooms, even the ones you’re not supposed to go into. That’s what we call “privilege escalation” in the computer world — it’s like getting extra keys you shouldn’t have.
Discovering the Bug
I was surfing, Examosis I had two accounts open at the same time — one as a regular student and the other as an administrator.
I noticed something interesting. The administrator account had a special feature that allowed it to delete files and content that regular students weren’t supposed to touch.
Curiosity got the best of me I wondered, “What if I could use the student account to delete files too?”
I tried it out, clicked the delete button, captured the request , and deleted the file with the administrator account first.
But here’s where it got exciting. I used that same request with the student account, the one that wasn’t supposed to have this power. And guess what? It worked again!
DELETE /v0/link/`ID` HTTP/2
Host: www.examosis.org
Cookie: _--------student/user cookie-----------
Content-Length: 37
...
The Bounty
Now, let’s talk about the cool part — the reward I got for finding this bug.Its time to get some money. I go to the program report submission page, submit the report As a way to say “thank you,” they gave me $500!
Takeaway
When you’re on a website, explore and compare permissions between different types of accounts. This means trying to do things you’re not supposed to, starting as a regular user and seeing if you can perform tasks meant for admins.
Leave a clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting content.
Find me on Twitter: @a13h1_
Keep Supporting, Keep Clapping, Keep Commenting.