Privilege Escalation From Manager To Admin.
While i was working around with sentry which is an Public Program over hackerone i found that i was able to escalate myself from manager to admin.
An admin is only person over sentry who can add or delete users and also have access to some limited functions while manager is able to create teams and edit them but they are not able to EDIT the organization settings completely.
So there was an option to ADD an Github SSO which was also accessible by manager while he can also change the option that had a feature to set a Default rank (permission) for future users. But he cannot change his rank because it only worked for newly added users not the pre-existing one’s.
Now while i was able to add a Github SSO i enabled it and changed the value for users permission (FUTURE) to admin.
Sentry now ask only users to login with Github SSO only so i logged in and deleted myself and then i logged in with my Github which resulted in the escalation for my account from manager to Admin .
Steps To Repro:
1) Enable Github auth and choose default role as OWNER
2) Now delete yourself as a member from the getsentry organization.
3) Now login with GITHUB
4) You’re an owner now.
Thanks For reading 🙂
Regards : Bugdiscloseguys