Hello amazing hackers ❤ I hope you are all doing well! Today i’d like to talk to you all about the easiest money i ever made. You will see that reading the manual is always very important. If we fail to do that, we neglect an amazing resource of information and no matter how obvious something seems, we should never assume something works as desribed in the manual.
Picking the program
As always, finding a good bug starts with a good program. [REDACTED] is a business to business application that focusses on HR. As you guys know by now, i adore these kinds of targets and i set off to work as i usually do.
Main app methodology
My methodology always starts with exploring my target very well. Before i can hack something i need to know how it works, and for that all starts with the manual if that is available. These things are goldmines! Not only do they tell you what you can they, they usually also tell you what you can’t do!
As Hackers, ofcourse we want to focus on those things that we are not allowed to do and try to get them to work in some way anyway. This is why we should never assume that whatever the manual says, is how it works.
For [REDACTED] the manual read “You can not deactivate super admin users”. Naturally if something tells me i can’t do what i want, i will let my inner rebel speak and i will try to deactivate that super admin users.
And what do you know… I was able to do just that!
This was possibly one of the easiest reports i had to write .No technical stuff, no complicated steps to follow, just simple good old reporting.
This was my original report with details redacted. Please don’t mind the mistakes.
According to the user manual found here https://[REDACTED].pdf it should not be possible to deactive a…