Cyber Security News

Bug Bounty Bonanza: $40,000 Reward for Escalating Limited Path Traversal to RCE

As a dedicated bug bounty hunter with an enviable track record on BugCrowd, Abdullah Nawaf, Full full-time bug Bounty Hunter, thrives on the thrill of discovery and the challenge of finding high-impact vulnerabilities.

Recently, alongside his colleague Orwa Atyat, they achieved a notable success: turning a limited path traversal vulnerability into a fully-fledged remote code execution (RCE) exploit, earning a generous bounty of $40,000. Here’s a detailed account of their journey.

Our adventure began with standard reconnaissance on a target subdomain, specifically http://admin.target.com:8443. Initially met with a 404 response, many hunters would have moved on.

However, his instincts told me to dig deeper. Employing fuzzing techniques on the URL, they discovered an endpoint at /admin/Download, which returned a 200 OK status but an empty response, as per the report by Medium. This hinted at a potentially exploitable feature.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Discovering Vulnerabilities

Delving deeper into the admin path, he began testing for Local File Inclusion (LFI) and path traversal vulnerabilities. His tests revealed that the /download endpoint accepted a parameter called filename.

When he accessed http://admin.target.com:8443/admin/download?filename=/js/main.js, it displayed the contents of the JavaScript file.

However, the limitation was clear: the function only allowed access to files within the /admin/ directory.

Undeterred, he attempted to access /WEB-INF/web.xml, a file known to contain vital information. This strategic exploration proved fruitful, as he unearthed three URLs, including one for an /incident-report.

Upon visiting this endpoint, he triggered the download of a live log file—an unexpected twist that would lead us down a path of significant discovery.

Escalating the Impact

Inside the log file, he stumbled upon sensitive data: admin credentials, including an MD5-hashed password.

After some attempts, he successfully logged into the admin panel using the credentials he found. This victory led him to an intriguing function called export_step2.xhtml, which housed a Groovy console—an interface for executing Groovy scripts.

Accessing the Groovy console opened the door to potential RCE, but executing commands yielded no visible output. This raised an important question: where was the command output hiding?

Upon reflection, he recalled that our log file could serve as a portal for uncovering the RCE output. By running commands through the Groovy console, he could leverage the log file to retrieve output.

Each time he visited http://admin.target.com:8443/admin/incident-report, a new log file was generated capturing the command execution results.

The cycle was straightforward:

  1. Log in with the discovered credentials.
  2. Navigate to the Groovy console.
  3. Execute a command like print “sudo cat /etc/passwd”.execute().text.
  4. Visit the logs at http://admin.target.com:8443/admin/incident-report to download the latest log and obtain the command output.

This intricate chaining of vulnerabilities not only met the criteria for RCE but also showcased the importance of thorough exploration. He submitted reports on both the RCE and the credentials discovery, culminating in a total payout of $40,000 from the program.

This experience highlights the significance of persistence and creative problem-solving in the field of cybersecurity. Each bug bounty hunt holds the potential for monumental discoveries—if one is willing to dig deeper.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across its…

7 hours ago

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across several…

8 hours ago

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products, including…

9 hours ago

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in ransomware…

9 hours ago

Researchers Introduce Mythic Framework Agent to Enhance Pentesting Tool Performance

Penetration testing is still essential for upholding strong security procedures in a time when cybersecurity…

9 hours ago

Swan Vector APT Targets Organizations with Malicious LNK and DLL Implants

A newly identified advanced persistent threat (APT) campaign, dubbed "Swan Vector" by Seqrite Labs, has…

9 hours ago