In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 2)

[InDepth#19] It's time to finish up the "Th1nk Lik3 a H4cker" walkthrough, looking at the rest of the challenges and the final hack from Laracon US!

Aug 30, 2023

∙ Paid

Greetings my friends, this week we’re heading back to finish off our walkthrough of my “Th1nk Lik3 a H4cker” talk from Laracon EU and US! We have two challenges left to cover, plus my finale stunt hack, and I’m excited to dive into the details with you. If you haven’t read Part 1 yet, I recommending heading over there first to get started.

You might have seen on socials, I started Securing Laravel1 almost 2 years ago! So next week I’ll be doing a recap email, similar to my 12 months recap. If you’d like to share any highlights or favourite articles for the recap, let me know this week2!

🕵️ Laravel Security Audits and Penetration Tests → I’m looking to lock in some clients for recurring security reviews next year. Reach out if you’re interested. 🔓

Looking to learn more?
⏩ Security Tip #37: New Password Generator
▶️ In Depth #13: Stealing Password Tokens with Forwarded Host Poisoning

"Th1nk Lik3 a H4cker" Walkthrough (part 2)

In Part 1 we looked at the first three challenges from my Laracon EU and US talk. To quickly recap each of the challenges:

Now we’re up to Challenge #4, which can be found around 10:00 in the recording:

So let’s dive into it:

Challenge #4: Escalate your account to admin!

Here’s what the screen looks like at the start of Challenge #4:

Screen showing the admin bio editor screen — Challenge #4 - Editing admin bio screen.

The challenge here is to escalate our account to an administrator account, which is known as a Privilege Escalation attack, or PrivEsc.

Unlike back in Challenge #2 when we could modify verification URL and perform the privilege escalation directly, we don’t have anything obvious here, so we’re going to go deeper to crack this one.

As we’ve talked about before, the first step is to see what we can modify and control. Looking for any vulnerable inputs or ways of interacting with the application. Our attack vector should be immediately obvious with that User Bio field that we can modify, so let’s see what it let’s us do…

Keep reading with a 7-day free trial

Subscribe to Securing Laravel to keep reading this post and get 7 days of free access to the full post archives.