How Hackers Go From Nothing To Admin Access

All demonstrations are intended solely for lawful, ethical, and defensive use. The creator assumes no liability for actions viewers take; attempting to replicate any activity on systems without authorization is illegal and may result in criminal or civil penalties. Use the information responsibly and obtain explicit permission before testing.

ANDROID HACKING COURSE 👉 https://deadoverflow.gumroad.com/l/ultimate-android-api-hacking-course/LIMITED
GAME HACKING COURSE 👉 https://deadoverflow.gumroad.com/l/ultimate-game-hacking-course/50000
My Course 👉https://deadoverflow.gumroad.com/l/mastering-cybersecurity-course/50000
Aveno 👉 https://aveno.online
Merch 👕 https://deadoverflow-shop.fourthwall.com/

2ND YOUTUBE: https://youtube.com/@deadoverflow2

🌐 Make sure to follow me on socials!
https://instagram.com/deadoverflow/
https://medium.com/@deadoverflow

📢 Make sure to also join my discord server as well!
https://discord.com/invite/yh2TqTJ9zN
Elijah S. statement:
For reference you can think of the site like a ctf site where you do challenges and get rewarded in prizes. (Not exactly but ofc I can't share what it actually was.)

I was bored and got notified that they (the website) just made this API update which led me to start looking at the site in the first place.

My mindset was that it probably has a vulnerability and my goal was to escalate my privileges to administrator. I created a new aveno project and started looking at the session cookie. Decoding it I saw that the only thing that identified it to me was by my user id (not including like my name but its ridiculous to create auth via a name). I ran a script on it to see if they possibly had used like a standard key for encoding it like "secret" which would allow me to create my own with any id I wanted. I had no luck here so I went back to aveno checked that off and started looking at other authorization flaws. I had done recon via gobuster to get api urls which led me to /api/user/profile. Testing requests upon it I found it accepted PUT requests to change profile info like your username or name, etc... but most importantly id. ( in discussion with them I learned that this was for their old authentication system )

I could have used the public leaderboard api to get an administrators ID but I was able to guess 1. When I used the request it was accepted by the server and I instantly saw the administrators tab and from there I could ban users remove everything from the faq and put whatever I wanted there. Remove anything from the prizes shop or put anything I wanted in the shop, etc... you understand.

I reported it, they fixed it and will get me a bounty by the end of the month of a unspecified amount.

Видео How Hackers Go From Nothing To Admin Access канала DeadOverflow