Privilege Escalation like a Boss

Hello guys, This is Jay Jani and after a long time, I am back with one of my finding. This one is simple Privilege Escalation on a private program of HackerOne.

PS : This post is for Noobs like me so Leets please ignore the post :/

So I was invited to participate in a private program. I quickly went through the working flow of application. After finishing Recon, I tried to find the loopholes in it. I tried IDOR and Privilege issues as the application’s behavior but failed. The flow of the application is,

A Higher Privilege user has the access to

A Lower Privilege user has the access to only

I tried to force browse the request but it shows me nothing.

I wanted to get rid of this so I started looking analyzing each and every request I captured. Suddenly I observed that there is an authorization header in each request which prevents me to perform the attack.

I noticed that this is JWT (JSON Web Token, You can learn more about it in the reference I gave at the end of the post). So What is JSON Web Token (JWT)?

Generally the format of JWT looks like

header.payload.signature

1. Header
The header is a JSON object in the following format:

[gist]afe596e6eb02612562216da7b0636661[/gist]

2. Payload
The payload component of the JWT is the data that‘s stored inside the JWT.

[gist]93d0f401c28c619dacbf2daea2dc1ade[/gist]

3. Signature
The signature is computed using the following pseudo code:

// signature algorithm
data = base64urlEncode( header ) + “.” + base64urlEncode( payload )
hashedData = hash( data, secret )
signature = base64urlEncode( hashedData )

So I decoded it and try to get what it contains. The result is like:

So I got what they are doing here, they encode “userId”, “IP” and “Browser information” and “OS information” but again Poor me 🙁 I got user id but it it UUID :/ My thought process was:

But I wanted to give one more try. After googling for sometime, I found that it is possible to crack UUID if they use Math.random().

The next step was to find the JS file if the application is using Math.random() to generate UUID and found one JS file.

They were using the code as below.

So next step is to break this. I tried a lot but failed. The same situation again from where I started :/

I contacted the man who wrote the post on how he was able to break the function. He was really good and helpful and Master too :p he helped me to break the function and I got the user id in plaintext form.

The next step is to encode the JWT with replaced user id and I was able to access the functionality of Admin User.

So that’s it guys from myside. Hope you did learn something new.

Here are some reference links you might want to check.

Understanding JSON Web Token : https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
JWT Encoder – Decoder : https://www.jsonwebtoken.io/
How to break UUID : https://littlemaninmyhead.wordpress.com/2015/11/22/cautionary-note-uuids-should-generally-not-be-used-for-authentication-tokens/
Finding JavaScript Files : https://github.com/zseano/InputScanner

Want to try your skills on JWT. You can try PentesterLab’s excercise

Tip: If you failed to find your desired bug, try to think as a developer like how I can prevent anyone to access this and you will come up with answer by yourself. Never loose the hope. 🙂