INTRODUCTION

In our world today, cybersecurity involves more than simply firewalls and antivirus software but
right now it is about how you stay ahead of the constant efforts of a certain section of people who
are trying to hack into your systems, aiming to inflict harm. One of the most prevalent ways this
type of attack happens in our digital domain is through something known as broken access control.
To put things in perspective, let's suppose a security system of a company as a locked door. So,
when access control of the company fails, anyone who tries to open the door can gain access to
the system regardless of their privilege. Which sounds really simple but can cause devastating
effects to that company if it is accessed by the wrong individual. This kind of vulnerability is more
common than most people realize, and it can cause a lot of damage. From stealing sensitive data
to completely taking over a system, attackers can use these loopholes to wreak havoc. It’s an issue
that keeps popping up, especially in web applications, and companies often don’t realize how
exposed they are until it’s too late.

The major issue with broken access control is that it happens frequently because of basic mistakes
rather than complex technical problems. From simple misconfigured permissions to bad
development practices, which all are the result of negligence, subsequently leads to these
vulnerabilities. Attackers understand this and often target these weaknesses because they are easy
to exploit and provide major outcomes. Even worse, the companies may not discover that their
system has been compromised until they suffer a major financial loss or public shame.

So, in this report, we’ll look at a simulated cybersecurity scenario involving a CTF company called
Langtang that’s dealing with a broken access control vulnerability. We’ll go through the methods
used to find and exploit the issue, assess the risks it brings, and explore how leadership and
teamwork can make or break an organization’s response to such challenges. The goal is to not only
understand the problem but also figure out how to fix it and prevent it from happening again.
Penetrating the System and Finding Vulnerabilities
Our main goal is to find and exploit broken access control vulnerabilities in Langtang's platform
in this simulated scene. For that, we will apply a systematic phase-wise penetration testing
technique to provide more insight into the weaknesses of the platform and establish the root work
for proper risk assessment later. The following sections will include realistic and technical
scenarios to demonstrate a detailed approach.

Reconnaissance

Simply the reconnaissance phase will focus on collecting information related to Langtang which
is publicly available to map the potential attack surface and also identify weaknesses to exploit
broken access control.

Steps and Techniques

1. Deep Internet Search

Google Dorking: An attacker uses advanced Google search operators to get hold of sensitive
data related to the company online, such as confidential credentials, configuration files or
secret notes from developers. For example,

site:github.com "Langtang" password

site:langtang.com filetype:pdf

cache:langtang.com

These queries will target GitHub repositories, outdated PDFs or cached versions of Langtang’s
webpages that might expose API keys, password configurations, or deprecated endpoints. For
instance, the query cache:langtang.com might reveal an older login page that could link to
deprecated API endpoints like:

https://api.langtang.com/v1/legacy

Such findings will surely help attackers map potential weaknesses and identify unmonitored
or forgotten parts of the platform.
 Employee Scanning: The attacker can also easily use publicly available tools like LinkedIn
Scraper or Recon-ng to find the employees who are linked to Langtang. With this, they can be
targeted with phishing or social engineering tactics to gather more integral information.

2. Traffic Analysis
HTTP/HTTPS Request Interception: The attacker captures all the HTTP traffic to find
tokens, roles, and session cookies with the help of software like Burp Suite. For example, the
following token reveals information that is sensitive and useful for session hijacking.
{
"user_id": 1001,
"role": "participant",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Parameter Behavior: Some specific endpoints like /api/flags or /user/settings can be tested to
get responses to craft dummy requests. For example, when an attacker queries the following
request, it will return another user’s data in the context that our platform has weak access
controls.
GET /api/flags?user_id=101

3. System Mapping
Shodan and Subdomain Discovery: Tools like Shodan and Sublist3r can be used to unleash
subdomains like admin.langtang.com or dev.langtang.com. An exposed development server
like those subdomains will reveal features that can be easily exploited by the attacker to bypass
high-level security.
Nmap Scan: The attacker can reveal open ports and services by a simple Nmap scan. For
example, through the following scan result the attacker exploits the open SSH port for remote
server access.
PORT STATE SERVICE
80/tcp open http
443/tcp open https
22/tcp open ssh
Scanning

The scanning phase will inspect Langtang's platform to identify misconfigurations and weak
access controls. This step will be transitioning from passive to active analysis of different
endpoints and APIs.

Steps and Techniques:

Custom Directory Enumeration: Through project names found through public company GitHub
repositories, the attacker creates a custom wordlist to perform enumeration which reveals
unprotected directories or sensitive API endpoints like the following:

/hidden_admin

/api/debug/flags

Automated Fuzzing: Tools like Burp Suite Intruder and FFUF are used by the attacker to fuzz
API parameters. They probe the /api/flags endpoint to identify injection vulnerabilities by sending
the following malformed request to test for directory traversal issues, allowing the attacker to
extract critical system files like /etc/shadow or /var/www/html/config.php.

?flag_id=../../etc/passwd

Session Analysis: When the session tokens are intercepted and decoded, the attacker identifies a
weak encryption algorithm (e.g., Base64), through which they modify role parameters to escalate
privileges.

Exploitation

Exploitation demonstrates how broken access control vulnerabilities are leveraged for
unauthorized actions in any kind of situation.

Exploitation Techniques:

Privilege Escalation via JWT Manipulation: The attacker identifies that Langtang uses JSON
Web Token for session management. Through tools like JWT.io, they decode the payload. For
example, the decoded payload reveals the following structure:
 {

"user_id": 1001,

"role": "participant",

"exp": "1699012000"

Now, simply the attacker gets admin privileges by modifying the role parameter to admin, re-
signing the token and injecting it into a session cookie.

IDOR Exploitation: The following endpoint accepts numeric IDs without ownership verification.
The attacker automates requests using Python scripts to enumerate IDs and retrieves flags
submitted by other participants.

/api/flags/{flag_id}

Chained Exploits: By exploiting weak tokens for privilege escalation, the attacker accesses the
/api/debug endpoint. This endpoint contains sensitive information such as database credentials in
plaintext:

"db_user": "admin",

"db_password": "password123",

"db_host": "localhost"

Using these credentials, the attacker connects to the database and extracts sensitive data using
simple SQL command like:

SELECT * FROM users;

Threat, Vulnerability, and Risk Analysis
Broken access control vulnerabilities are among the most serious and prevalent security flaws in
modern web applications, including those which are on Langtang's platform. These flaws occur
when an application fails to enforce sufficient user privileges, allowing unauthorized access of the
data. This section will analyze the vulnerabilities which were discovered from the previous
question by focusing on the threats that they pose, the nature of the flaw, and the potential
consequences on Langtang's operations if the attackers exploit them.

Nature of the Vulnerability

In the platform of Langtang, the broken access control issue takes place in several forms, as
outlined in the penetration testing phase before. This includes:

Poor Role Validation: The major risk that was exploited by the attacker was the insufficient role-
based access controls on Langtang's web application. This allowed attackers to elevate their
privileges by simply altering session tokens or API requests. Especially. Since the JSON Web
Token which has been used for authentication does not provide server-side validation, this severe
flaw permits anyone to modify their user role from "participant" to "admin" in the token and get
unauthorized administrative access.

Insecure Direct Object References (IDOR): Also, some API endpoints like /api/flags/{flag_id}
do not properly validate the owner who is accessing the resource. This flaw enables anyone to
access data that belongs to other players, which subsequently undermines the competitive integrity
of the platform.

Exposed Debug Endpoints: While scanning deep inside the platform, the attacker managed to
uncover debug endpoints like /api/debug that are only meant for development purposes to provide
debugging information. However, it leaked sensitive data like plaintext credentials of the database
since it was exposed in the live production environment causing a serious security risk.

Directory Traversal in API Parameters: The attacker was able to travel beyond the intended
directory access by exploiting the /api/flags endpoint on the platform of Langtang. They
manipulated and sent the request such as ?flag_id=../../etc/passwd, to access critical system files.
This vulnerability exposed some sensitive system and user data that let the attackers peep into the
architecture of the platform and help them carry out more targeted exploits.

Threats Presented by the Vulnerabilities

Privilege Escalation: The attackers acquired unauthorized administrative access due to poor role
validation which could enable them to manipulate or alter challenges and access restricted sites of
the platform.

Data Exfiltration: Through the exploit of IDOR and debug endpoints, it uncovered sensitive
information like flags, hashed passwords and emails, which attackers could use for further attacks
or sell data.

System Integrity Compromise: Unintended access to the system and data through directory
traversal attacks and exposed endpoints, the attackers could tamper with or delete vital system
files.

Operational Disruption: The attackers could disable specific platform features, interrupt any
CTF competitions or alter the scores to cause chaos and unfairness.

Threat Persistence: The debug endpoint credentials that are exposed can be used to get long-term
access to the backend system of the platform which makes recovery process even more difficult
due to repeated exploitation.

Compliance Violations: Breaches of participant data may violate data protection regulations, like
GDPR, resulting in fines and regulatory scrutiny.

Reputational and Financial Damage: Exploitation of the vulnerabilities inside Langtang's

platform will undermine the credibility of the company and could deter potential clients or users
which will in hindsight lead to a financial loss.
Lessons and Recommendations
1. Implement threat modeling frameworks like STRIDE, OCTAVE or PASTA right from the
development phase to detect and address potential threats early.
2. Collaborate with ethical hackers to identify and report security problems in a proactive manner.
3. Adopt very strict object-level access controls to prevent unwanted data access and multi-factor
authentication in sensitive endpoints like debug APIs.
4. Enforce strong encryption algorithms, implement token expiration, and server-side validation
in token mechanisms to prevent token tampering.
5. Set continuous security monitoring tools to detect strange activities such as excessive login
attempts or unauthorized access to sensitive data.
6. Regularly hold threat modeling workshops that will involve both developers and security
teams, utilizing tools like OWASP Threat Dragon to document and analyze vulnerabilities
more effectively.

Risk Assessment Table

Risk Likelihood Impact Risk Level

Privilege Escalation High Very High Critical

Data Exfiltration High High Critical

System Integrity Compromise Medium Very High High

Operational Disruption Medium High High

Threat Persistence Medium Very High High

Compliance Violations Low Very High Medium

Reputational and Financial Damage Medium Very High High