We covered directory traversal vulnerability to solve Challenge 007 in OWASP Hackademic free lab.

Understanding the Challenge: Bypassing a Bribe

The scenario presented a student who needed to change their grades, but the administrator was demanding a bribe. My goal was to bypass this ethical dilemma and gain direct admin access to modify the grades myself.

Initial Reconnaissance and Directory Traversal

The initial webpage had a text input field, but it was for a username, not a password. Standard approaches like SQL injection or brute-forcing seemed unlikely to work given the context.

So, I turned to directory traversal. I used Burp Suite to intercept requests and explore the website’s directory structure. By utilizing the “Spider” feature in Burp Suite, I was able to identify various files and directories that weren’t immediately obvious from the main site. This led me to a crucial discovery: a file named "last_look_in.txt" located within a directory called "index_files".

Finding the Username and Cookie Manipulation for Privilege Escalation

Accessing "last_look_in.txt" revealed the last logged-in user, who was “Ireland.” I then used this username to access the student’s grades page.

At this point, my access level was “user.” I inspected the cookies using Burp Suite and found two key cookies: "username" (set to “Ireland”) and "user_level" (set to “user”). My first thought was to change the "user_level" cookie to “root,” but this didn’t work. Undeterred, I then tried changing "user_level" to “admin.”

Success and Security Recommendations

Changing the cookie to “admin” successfully granted me administrator access to the website! With this elevated privilege, I could now change the grades as intended, completing the challenge.

The video concluded by highlighting the vulnerabilities I exploited: directory traversal and cookie manipulation. It strongly recommended implementing proper authorization and authentication for sensitive files and directories to prevent such attacks. Specifically, sensitive files like "last_look_in.txt" should not be easily accessible or should have restricted access to prevent information disclosure.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles