Questions & Answers#
Question 1: In the context of privilege escalation, what is the difference between vertical and horizontal privilege escalation, and can you give an example of each?
Vertical Privilege Escalation occurs when an attacker grants themselves higher privileges from a lower-privileged account (such as moving from a standard user to an administrator account).
Example: A hacker compromises a regular office employee’s internal account and uses it to pivot into the internal network, ultimately seizing control of an Admin account.
Horizontal Privilege Escalation occurs when a user gains access to another user’s account that possesses the same level of permissions. The primary goal of this attack is to hijack the victim’s personal information or assets.
Example: A hacker takes over a user’s bank account, and then from this account, exploits vulnerabilities to access another user’s bank account to steal funds.
Question 2: What are some effective strategies or practices that can be implemented to prevent privilege escalation vulnerabilities in a system?
- Principle of Least Privilege (PoLP): Grant users, applications, or processes only the minimum level of access required to perform their tasks, strictly avoiding excessive permissions.
- Strict Access Control: Implement Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC). Regularly audit and immediately revoke permissions for legacy accounts, former employees, or personnel transferring departments.
- Patch Management: Proactively and continuously update operating systems, software, and database management systems to patch disclosed vulnerabilities (CVEs).
- Strong Authentication: Enforce Multi-Factor Authentication (MFA), especially for highly privileged accounts (Admin, Root, Superuser).
- Monitoring and Logging: Log all permission modification actions, failed login attempts, or access to sensitive files. Utilize a SIEM system to detect anomalous behavior in real-time.
- Network Segmentation: Isolate core systems and servers. If an attacker compromises an account in a lower-tier network segment, they will be blocked and unable to easily access critical resources.
- Secure Coding Practices: Always perform server-side access control validation for every request. Never trust credentials or parameters transmitted from the client side (such as Cookies, Hidden fields, or URL parameters).
User ID controlled by request parameter#
- Access the lab’s homepage. Test the features on the website to observe its behavior. The provided credentials are:
wiener:peter.

- First, log in using the
wiener:peteraccount, observe, and look for any anomalies in the website’s behavior.

- Observe the URL and notice the
id=wienerparameter. Typically, websites like this authenticate based on the user’s cookie rather than a user query parameter. However, in this lab, we will try altering the parameter toid=carlosto test the website’s security controls.

- It is clear that the website does not authenticate based on the cookie but rather relies entirely on the
idparameter. This flaw easily leads to a horizontal privilege escalation vulnerability, allowing us to pivot from thewieneraccount to thecarlosaccount. Now, simply submit Carlos’s API key to solve the lab.
