Hello folks,
This is a repost blog from medium from my own account. It’s been a while since I last wrote a blog, but I’m back with an interesting privilege escalation story that I discovered during a recent pentest. If you spot any grammar mistakes, feel free to correct me, I’m here to learn and share!
Recon
During a pentest on an internal application (let’s call it site.redacted.com), I was provided access to six user accounts. One of them was a regular user, while the other five had various levels of functionality. Among them was also an admin account.
While navigating through the application, a thought struck me — what if I could somehow gain access to the functions available to higher-privileged users?
Mapping
As I refreshed the application, I noticed several API endpoints being triggered. Using the browser’s DevTools, I found that one particular endpoint, /getAccess, was responsible for loading role-based information like roleID and roleName.
Interestingly, this endpoint was always triggered when the homepage loaded, something worth exploring further.
Exploitation
Here’s a breakdown of how I turned this observation into a working privilege escalation:
Refreshed the Home Page — With Burp Suite’s Intercept turned on.
Monitored Requests — I forwarded all the requests until I caught the /getAccess request.
Modified the Flow — Right-clicked on the request and selected Do Intercept > Response to this request.
Edited the Response — The response containing the current roleID and roleName was displayed. I manually changed the roleID to that of the admin role.
Forwarded the Modified Response — Boom. The admin features were now accessible.
Repeated the Process — I tried changing the role ID to other values, and each time I was able to access different user roles and their associated functionalities.
Notes
I was able to confirm it was the admin role because I also had access to the admin account as part of the test scope.
This was an internal application with just six users, each with a unique permission level.
Starting from the lowest-privileged user, I successfully climbed the ladder by simply manipulating response data — classic privilege escalation through response tampering.
This was just one of the bugs I discovered during the assessment, and I’ll definitely be sharing more experiences soon. Thanks for reading and supporting my journey.
See you in the next one. Ba byee… 👋
