Cyber Security News

Bug Bounty Bonanza: $40,000 Reward for Escalating Limited Path Traversal to RCE

As a dedicated bug bounty hunter with an enviable track record on BugCrowd, Abdullah Nawaf, Full full-time bug Bounty Hunter, thrives on the thrill of discovery and the challenge of finding high-impact vulnerabilities.

Recently, alongside his colleague Orwa Atyat, they achieved a notable success: turning a limited path traversal vulnerability into a fully-fledged remote code execution (RCE) exploit, earning a generous bounty of $40,000. Here’s a detailed account of their journey.

Our adventure began with standard reconnaissance on a target subdomain, specifically http://admin.target.com:8443. Initially met with a 404 response, many hunters would have moved on.

However, his instincts told me to dig deeper. Employing fuzzing techniques on the URL, they discovered an endpoint at /admin/Download, which returned a 200 OK status but an empty response, as per the report by Medium. This hinted at a potentially exploitable feature.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Discovering Vulnerabilities

Delving deeper into the admin path, he began testing for Local File Inclusion (LFI) and path traversal vulnerabilities. His tests revealed that the /download endpoint accepted a parameter called filename.

When he accessed http://admin.target.com:8443/admin/download?filename=/js/main.js, it displayed the contents of the JavaScript file.

However, the limitation was clear: the function only allowed access to files within the /admin/ directory.

Undeterred, he attempted to access /WEB-INF/web.xml, a file known to contain vital information. This strategic exploration proved fruitful, as he unearthed three URLs, including one for an /incident-report.

Upon visiting this endpoint, he triggered the download of a live log file—an unexpected twist that would lead us down a path of significant discovery.

Escalating the Impact

Inside the log file, he stumbled upon sensitive data: admin credentials, including an MD5-hashed password.

After some attempts, he successfully logged into the admin panel using the credentials he found. This victory led him to an intriguing function called export_step2.xhtml, which housed a Groovy console—an interface for executing Groovy scripts.

Accessing the Groovy console opened the door to potential RCE, but executing commands yielded no visible output. This raised an important question: where was the command output hiding?

Upon reflection, he recalled that our log file could serve as a portal for uncovering the RCE output. By running commands through the Groovy console, he could leverage the log file to retrieve output.

Each time he visited http://admin.target.com:8443/admin/incident-report, a new log file was generated capturing the command execution results.

The cycle was straightforward:

  1. Log in with the discovered credentials.
  2. Navigate to the Groovy console.
  3. Execute a command like print “sudo cat /etc/passwd”.execute().text.
  4. Visit the logs at http://admin.target.com:8443/admin/incident-report to download the latest log and obtain the command output.

This intricate chaining of vulnerabilities not only met the criteria for RCE but also showcased the importance of thorough exploration. He submitted reports on both the RCE and the credentials discovery, culminating in a total payout of $40,000 from the program.

This experience highlights the significance of persistence and creative problem-solving in the field of cybersecurity. Each bug bounty hunt holds the potential for monumental discoveries—if one is willing to dig deeper.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

25 seconds ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

3 minutes ago

Cisco AnyConnect VPN Server Vulnerability Allows Attackers to Trigger DoS

Cisco has disclosed a significant vulnerability in its AnyConnect VPN Server for Meraki MX and Z Series…

3 hours ago

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware targeting…

3 hours ago

DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies and…

3 hours ago

SonicWall Firewall Vulnerability Enables Unauthorized Access

Researchers from Bishop Fox have successfully exploited CVE-2024-53704, an authentication bypass vulnerability that affects SonicWall firewalls.…

3 hours ago