webPromedium

Lab 23 — KeyVault Pro — IDOR in 2FA Device Removal

hackadvisor

Task: enterprise credential management platform with WebAuthn 2FA; team API over-exposes security device info and device removal lacks ownership validation. Solution: chain two IDORs — enumerate admin's WebAuthn credential_id via team API, delete admin's 2FA device as low-privilege user, login with leaked admin credentials, access protected notes containing the flag.

$ ls tags/ techniques/

nodejs information_disclosure idor api_security broken_access_control 2fa_bypass webauthn credential_management

api_endpoint_enumerationidor_user_enumerationidor_device_deletion2fa_bypass_via_device_removalcredential_leak_in_announcements

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 341 — KeyVault2FA — SSRF via OTP Account Import— hackadvisor
[web][Pro]Lab 7 — TeamForge - Privilege Escalation via Invitation Flow— hackadvisor
[web][Pro]Lab 15 — ProfileHub — IDOR in User Profile API— hackadvisor
[web][Pro]TeamForge — IDOR to Owner Account Takeover via Weak Passwords— hackadvisor
[web][Pro]TeamForge — Privilege Escalation via IDOR and Weak Passwords— hackadvisor_kubstu