We covered directory traversal vulnerability to solve Challenge 007 in OWASP Hackademic free lab.
Understanding the Challenge: Bypassing a Bribe
The scenario presented a student who needed to change their grades, but the administrator was demanding a bribe. My goal was to bypass this ethical dilemma and gain direct admin access to modify the grades myself.
Initial Reconnaissance and Directory Traversal
The initial webpage had a text input field, but it was for a username, not a password. Standard approaches like SQL injection or brute-forcing seemed unlikely to work given the context.
So, I turned to directory traversal. I used Burp Suite to intercept requests and explore the website’s directory structure. By utilizing the “Spider” feature in Burp Suite, I was able to identify various files and directories that weren’t immediately obvious from the main site. This led me to a crucial discovery: a file named "last_look_in.txt" located within a directory called "index_files".
Finding the Username and Cookie Manipulation for Privilege Escalation
Accessing "last_look_in.txt" revealed the last logged-in user, who was “Ireland.” I then used this username to access the student’s grades page.
At this point, my access level was “user.” I inspected the cookies using Burp Suite and found two key cookies: "username" (set to “Ireland”) and "user_level" (set to “user”). My first thought was to change the "user_level" cookie to “root,” but this didn’t work. Undeterred, I then tried changing "user_level" to “admin.”
Success and Security Recommendations
Changing the cookie to “admin” successfully granted me administrator access to the website! With this elevated privilege, I could now change the grades as intended, completing the challenge.
The video concluded by highlighting the vulnerabilities I exploited: directory traversal and cookie manipulation. It strongly recommended implementing proper authorization and authentication for sensitive files and directories to prevent such attacks. Specifically, sensitive files like "last_look_in.txt" should not be easily accessible or should have restricted access to prevent information disclosure.
