Tuesday, April 29, 2025
HomeBug BountyBug Bounty Bonanza: $40,000 Reward for Escalating Limited Path Traversal to RCE

Bug Bounty Bonanza: $40,000 Reward for Escalating Limited Path Traversal to RCE

Published on

SIEM as a Service

Follow Us on Google News

As a dedicated bug bounty hunter with an enviable track record on BugCrowd, Abdullah Nawaf, Full full-time bug Bounty Hunter, thrives on the thrill of discovery and the challenge of finding high-impact vulnerabilities.

Recently, alongside his colleague Orwa Atyat, they achieved a notable success: turning a limited path traversal vulnerability into a fully-fledged remote code execution (RCE) exploit, earning a generous bounty of $40,000. Here’s a detailed account of their journey.

Our adventure began with standard reconnaissance on a target subdomain, specifically http://admin.target.com:8443. Initially met with a 404 response, many hunters would have moved on.

- Advertisement - Google News

However, his instincts told me to dig deeper. Employing fuzzing techniques on the URL, they discovered an endpoint at /admin/Download, which returned a 200 OK status but an empty response, as per the report by Medium. This hinted at a potentially exploitable feature.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Discovering Vulnerabilities

Delving deeper into the admin path, he began testing for Local File Inclusion (LFI) and path traversal vulnerabilities. His tests revealed that the /download endpoint accepted a parameter called filename.

When he accessed http://admin.target.com:8443/admin/download?filename=/js/main.js, it displayed the contents of the JavaScript file.

However, the limitation was clear: the function only allowed access to files within the /admin/ directory.

Undeterred, he attempted to access /WEB-INF/web.xml, a file known to contain vital information. This strategic exploration proved fruitful, as he unearthed three URLs, including one for an /incident-report.

Upon visiting this endpoint, he triggered the download of a live log file—an unexpected twist that would lead us down a path of significant discovery.

Escalating the Impact

Inside the log file, he stumbled upon sensitive data: admin credentials, including an MD5-hashed password.

After some attempts, he successfully logged into the admin panel using the credentials he found. This victory led him to an intriguing function called export_step2.xhtml, which housed a Groovy console—an interface for executing Groovy scripts.

Accessing the Groovy console opened the door to potential RCE, but executing commands yielded no visible output. This raised an important question: where was the command output hiding?

Upon reflection, he recalled that our log file could serve as a portal for uncovering the RCE output. By running commands through the Groovy console, he could leverage the log file to retrieve output.

Each time he visited http://admin.target.com:8443/admin/incident-report, a new log file was generated capturing the command execution results.

The cycle was straightforward:

  1. Log in with the discovered credentials.
  2. Navigate to the Groovy console.
  3. Execute a command like print “sudo cat /etc/passwd”.execute().text.
  4. Visit the logs at http://admin.target.com:8443/admin/incident-report to download the latest log and obtain the command output.

This intricate chaining of vulnerabilities not only met the criteria for RCE but also showcased the importance of thorough exploration. He submitted reports on both the RCE and the credentials discovery, culminating in a total payout of $40,000 from the program.

This experience highlights the significance of persistence and creative problem-solving in the field of cybersecurity. Each bug bounty hunt holds the potential for monumental discoveries—if one is willing to dig deeper.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...