Privilege Escalation Guest user escalates To full project access after project visibility is switched to Public
Press enter or click to view image in full size
Hello Hackers
I’m Mohamed, also known as Mado, a dedicated Web Application Penetration Tester and bug hunter
NOTE: The Write Up is hunting and The Write up Focus on Privilege Escalation Get Your Coffe and Lets go If You Liked The Write up Dont Forget 50 Clapped And Thank you
My Target Overview
My target is a widely used task management app, available as a web app, mobile apps, desktop clients, and browser extensions. It supports personal and team workspaces, shared projects, and link-based project sharing
Roles In My Target:
- Guest = Can edit anything in the project, but can’t remove anyone
- Admin = Can do Anything, remove or edit
Press enter or click to view image in full size
My Technique For Exploit :
1. I am Creating a Team Workspace (including Creating Projects)
2. Creating The Project For Writing the Tasks Team
3. I am invited to my second Account, but as a GUEST
Press enter or click to view image in full size
Now I Have 2 Accounts
Owner = Main Account (Victim)
Guest = Attacker
Note: The guest in team cannot access any project; the owner must first give them access to the Project
4. After Inviting My Second Account as a Guest, I see that The Project can change to public, but anyone Outside The Workspace can View-only
5. I am choosing the Last one (Public), and now anyone in the project can click on the button Copy Link and view all the tasks and share the link with people outside the Team workspace (can’t edit or do anything, can view-only)
Press enter or click to view image in full size
6. But wait, I have an Idea, what if the Guest clicks on the Button, copies the link, and leaves the project, and opens the link Are Can he join, or should the owner give them access again, or the target? Don't check on the Role and give him full permission
I am trying First : copy The Link and go as an admin, and change a project from public to “Anyone in the team can edit.” Should the link have expired? But yeah, the link has expired
Now I am Trying The Second Scenario: I am going as an admin and changing the Project To public. Now I am going as a Guest, copy the Link and leave The Project, And Open The Link again. What do you think is working? Yeah, My Scenario is working now. The Guest escalates the Privilege and removes anyone from the project admins and anyone?
Press enter or click to view image in full size
Press enter or click to view image in full size
Steps
1. I am Creating a Team Workspace For Create Projects
2. Creating The Project For Write My Tasks
3. I am invited to my second Account, but as a GUEST
4. Go as an Admin, Change the Project to public
5. Go as a Guest, click on the button Copy link
6. Attacker leaves the Project and opens the Link of the Project Public
7. Target: Give him Full permission (Edit, remove anyone)
The Results:
The Target doesn't check on the Role if the user is in the Team The/ Attacker can escalate the Role and gain full access to the project by changing the project to public
Press enter or click to view image in full size
If You Want To Reach Me All My Contact Info is Here: Click Here
……………Thank You For Reading and I hope This Was helpful………………