1. Summary
I was able to take over admin account in a private program of Hackerone. Which gave me access to the admin panel and from there I was able to put javascript codes in the website, upload php/other server side scripts and do many other exploits. The exploit was triaged as Critical Severity and I was paid-out full bounty of the private program. It was ranked as 9-10 in severity scale.
2. Steps to reproduce
It was a simple exploit. The admin panel was accessible through https://PROGRAMURL/admin
And the admin panel had a form to reset password. Where I had to insert admin email and the OTP code will be sent to the email which I could use to change the password. The OTP was 6 digit random numbers. I tried to brute force it but it would take me long time to brute force and the OTP would be revoked after 30 mins. But the website had another flaw, multiple OTP could be generated by submitting reset form multiple times and the old OTP was not revoked. So I used BURP intruder to create thousands of OTP and the brute forced the OTP which made it easier to find at least 1 otp out of thousands.
Luckily the admin email was just admin@PROGRAMURL. Once I was able to reset the password I got into the admin panel. There I could update website, add or remove contents or do anything. I could insert Javascript to any page in the website, Upload PHP files the could execute codes and many more.
3. Summary
This way I was able to do anything in the website. If I reported the exploit as just admin account take-over I would have got Medium/High and would have got partial payout but I dig more into the exploit and reported it as RCE which gave me full payout and the exploit was triaged as Critical.
