# How I Was Able To Takeover All User Account And Admin Panel

  
Hi everyone, This is my last write-up of 2018, so 6 months ago I got the invite from a Hackerone private program, the program has a huge scope, so currently I am focused on that single program. Found a subdomain let say abc.example.com (As it a private program so we will be using example.com instead of the original domain)  
  
So let's start  
  
The vulnerability was a pretty straightforward [IDOR](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)  
  
So, the website uses sso for authentication, after successful authentication its redirect back the subdomain abc.example.com  
  
after exploring the functionality, I found its a very basic site where no option to edit your own account even, many static pages and some third party links.  
  
so after that, I navigate to the https://abc.example.com/robots.txt and found lots of hidden directories are there, like /admin, /user  
  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363311660/uBBHsEkV3.png)](https://3.bp.blogspot.com/-tF5Jl0zibHM/XCXQG7o_kcI/AAAAAAAALcA/OZ-fJtE6cegdTbikO2hPT6LjRihdxRGIwCLcBGAs/s1600/Screenshot_9.png)

  
so quickly I navigate to the directory /user  it redirected me to https://abc.example.com/user/16397/edit  
that page provides functionality like change password, change email id, change address, add an address  
Next, I just change the value to 16390, then it's redirected me to the user edit option of  the user which associated with 16390 userid  
  
Then I created another test account to verify the issue, I am successfully able to change password and email of the user  
  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363313212/pVEhcXoxT.png)](https://3.bp.blogspot.com/-M5lApJHbAyM/XCXSOpE1r2I/AAAAAAAALcM/DOVDtkCDMlMwyosEPW1r6D-T72iDYpYuACLcBGAs/s1600/Screenshot_10.png)

  
  
Then I thought to give a try for admin panel takeover, so iIvisited to https://abc.example.com/user/1/edit  
  
its redirected to me to the portal admin panel where i can change admin password email  
  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363314852/lCbLqCATv.png)](https://1.bp.blogspot.com/-UWqTkZ-ORdE/XCXTCd-7ETI/AAAAAAAALcU/VoXpYq2EoYIVtuoWMFoxjHOwMT6BJvlaACLcBGAs/s1600/Screenshot_11.png)

So at that point ,i can able to takeover all user account by changing the userid value as all are sequential and admin panel too .  
  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363316297/OLWGePXDK.gif)](https://media.giphy.com/media/26AHszU183LU0wa6A/giphy.gif)

  
After 4 days they fixed the issue and got a nice bounty and bonus , that helped me to fullfill my last 2018 goal.  
  

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1656363318206/oqgFLI-if.png)](https://1.bp.blogspot.com/-OGUVGmiLdnc/XCXUr7wkaiI/AAAAAAAALcg/ypVMOo27jYIi-X8t1DbEn-AbRMHSXe1FACLcBGAs/s1600/Screenshot_12.png)

  
  
Thanks for reading, any suggestion feedback are welcome