I found two security vulnerabilities in a friend's company and I'd like to do a responsible disclosure to that company so they fix it. For that, I need to know if it's possible to exploit the vulnerability and do an escalation of privilege so I can motivate my case for the disclosure. Here is the picture.
I found a vulnerability in one of the company's websites with which I can obtain user ids and passwords to access that website. But the website in itself doesn't provide much useful information to an attacker, it's not interesting, so the risk if the website is exploited is moderate.
What's most interesting, I know for a fact that the passwords to the website are synchronized with the passwords of the Windows users. That's to make it easier for users to remember their passwords; that's another security vulnerability. And the users have administrative privileges on their computers. And the risk if an account with administrative privileges is exploited is high as an attacker could penetrate the company's network. So both security vulnerabilities must be fixed.
The problem is the following. The user ids on the website are different than the user ids of the Windows accounts. That's the catch, the passwords are the same but the user ids are different.
My question is, supposing an attacker is on the same network as the target computer, can the attacker compromise the target computer knowing just the Windows administrative password (not the user id)? That's where my knowledge stops. I think the password alone is not enough, that the user id is necessary as well, but I bet it's possible to reveal user ids on Windows, I just don't know.
Any comments? Thank you.
