Cybersecurity researchers Abdullah Nawaf and Orwa Atyat, successfully escalated a limited path traversal vulnerability into a full-blown remote code execution (RCE).
Their discovery earned a massive $40,000 bounty from the targeted organization’s bug bounty program.
The team documented their step-by-step approach, leaving the cybersecurity community with valuable lessons on persistence, creativity, and methodical bug hunting. Here’s how the triumphant hunt unfolded.
Critical Path Traversal Vulnerability Turns Into A Gold Mine
The story began with reconnaissance and port scanning, during which the researchers identified a subdomain (http://admin.target.com:8443) returning a 404 status code—often ignored by many bug bounty hunters. Fuzzing under /admin/ revealed an endpoint (/admin/Download) that hinted at a file retrieval function.
Testing the endpoint showed it required a valid file path as a parameter. After experimenting with path traversal attacks, the researchers confirmed that the endpoint exhibited what is known as a limited path traversal vulnerability.
Files outside the /admin/ directory could not be accessed, but key files like the widely known /WEB-INF/web.xml were retrievable, exposing sensitive information.
During further exploration, the researchers stumbled upon an /incident-report endpoint.
Accessing it triggered the download of real-time log files, which contained critical details, including old and current admin credentials.
Using the valid credentials (admin:Glglgl123), the researchers gained full access to the admin dashboard.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira ->Â Free Webinar
Groovy Console Unlocked: The Key to RCE
The turning point came when the team explored a feature called export_step2.xhtml within the admin panel.
This feature hosted a Groovy console, a tool typically used by developers for debugging and testing code.
However, when left improperly secured, such consoles can provide attackers with a gateway to execute arbitrary code on the system.
Upon receiving confirmation from the program owner to test for RCE, the researchers devised Groovy script payloads.
While their commands were executed successfully, there was no visible output—an unusual challenge.
At this juncture, they recalled the /incident-report endpoint and theorized that command outputs might be logged in real-time.
By downloading the latest log files, they confirmed their theory. The outputs of their commands, including sensitive system files such as /etc/passwd, were logged and retrievable, effectively completing the RCE exploit.
The team promptly reported their findings to the bug bounty program demonstrating ethical hacking best practices. At the request of the program owner, the findings were split into separate reports to maximize payouts, resulting in the team earning a combined reward of $40,000.
- Persistence Pays Off: The researchers emphasized the importance of treating bug bounty hunting like a quest. Many hunters stop after finding one bug, but by digging deeper, the team uncovered an RCE vulnerability worth tens of thousands of dollars.
- Work Thoroughly on Subdomains: Once a bug is discovered on a subdomain, all tests should be completed before moving on. As seen in this case, one small finding (path traversal) led to uncovering admin passwords, which ultimately escalated to RCE.
- Quality Over Quantity: Combining initial findings into a single report showcased professionalism, leading to stronger trust and engagement with the program owner.
This case is another stellar example of how dedication and technical expertise can lead to significant rewards in the bug bounty field.
By combining a methodical approach with creative thinking, the researchers turned a series of vulnerabilities into a high-profile discovery, reinforcing the importance of cybersecurity vigilance.
“As always,” the researchers remarked, “treat every lead like an opportunity and push your limits responsibly. That’s how you turn $404 into $40,000.”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
.){kind=link}