Hi and Salam'alaikum eveyone! Back again with me Qais MY Hunter! This is continuous story from my previous (PVS Story 1). Let's get started!

Intro;

Gaining administrative access during a bug bounty engagement often marks the beginning of a deeper exploration rather than the end of the hunt. While administrative privileges already represent a critical security boundary, the real question that follows is: what else can be reached from here?

After successfully obtaining access to an administrator account during my hunting of the web application, I began further testing to determine whether this admin access could lead to additional vulnerabilities or expose sensitive backend functionality. My goal was to explore the application's internal API surface, identify endpoints accessible to privileged accounts, and evaluate whether improper access control or data exposure issues existed.

Rather than stopping at the initial privilege escalation(PVS Story 1), I decided to enumerate and analyze various API endpoints used by the web application. Through this process, I discovered multiple endpoints that were either insufficiently protected or returned excessive sensitive data. In total, approximately eight additional vulnerabilities including RCE 😳 were identified during this phase of testing, demonstrating how a single foothold can often lead to deeper security weaknesses within an application.

Discovery of Sensitive API Endpoint

One of the first critical findings during this post-compromise exploration was an API endpoint that exposed Personally Identifiable Information (PII) and sensitive account data for administrative and privileged users.

The endpoint identified was:

/Role/GetUserData
  • Password-related fields
  • Login statistics
  • IP address history
  • Email and phone information
  • Account privilege indicators
  • Organization and internal metadata

An example response from the endpoint revealed structured user account data including fields like Photo below.

Exposed Data (PII)

What made this issue particularly concerning was that the endpoint returned highly sensitive administrative user details without proper restrictions on data exposure. Instead of returning minimal profile information, the API disclosed a wide range of internal fields that should never be accessible.

Impact of the Exposure

The information returned by this endpoint could significantly assist an attacker in several ways:

  • User/Admin Account Takeover
  • Exposure of internal user metadata
  • IP history
  • Identification of administrative roles

Such information can be leveraged to facilitate further account compromise, targeted attacks against administrators, or lateral movement within the system.

Expanding the Attack Surface

This discovery also served as a pivot point for further investigation. By analyzing the value and data returned from /Role/GetUserData endpoint and how the application interacted with backend APIs, I find that the password hash was only md5 which is can be decrypted online like hashes.com. At first glance, I didn't notice that it was just md5 hash😝 since it use all char in caps lock like "A15E22CCD295AF51EE65569818E8105". I was able to detect it using hash identifier like on the hashes.com.

continued enumerating similar endpoints and discovered several additional vulnerabilities affecting the application's API layer.

These findings reinforced an important lesson during bug bounty hunting: privilege escalation is rarely the final vulnerability — it is often the gateway to uncovering deeper systemic security issues.

Through continued testing and endpoint enumeration after acquiring administrative privileges, I ultimately identified eight additional vulnerabilities, many of which stemmed from insufficient access controls and excessive data exposure in backend APIs.

Closing Thoughts

This phase of the assessment highlights the importance of secure API design and strict data minimization practices. Even when requests originate from authenticated or privileged users, APIs should only return the minimum necessary data required for functionality.

Overly verbose API responses, especially those exposing sensitive account information, can significantly increase the impact of a compromise and provide attackers with valuable intelligence for further exploitation.

In bug bounty hunting, the most valuable discoveries often occur after the initial vulnerability is found. The key is to continue asking the same question:

If I have access to this, what else can I reach?