Cybersecurity researchers Abdullah Nawaf and Orwa Atyat, successfully escalated a limited path traversal vulnerability into a full-blown remote code execution (RCE).
Their discovery earned a massive $40,000 bounty from the targeted organization’s bug bounty program.
The team documented their step-by-step approach, leaving the cybersecurity community with valuable lessons on persistence, creativity, and methodical bug hunting. Here’s how the triumphant hunt unfolded.
The story began with reconnaissance and port scanning, during which the researchers identified a subdomain (http://admin.target.com:8443) returning a 404 status code—often ignored by many bug bounty hunters. Fuzzing under /admin/ revealed an endpoint (/admin/Download) that hinted at a file retrieval function.
Testing the endpoint showed it required a valid file path as a parameter. After experimenting with path traversal attacks, the researchers confirmed that the endpoint exhibited what is known as a limited path traversal vulnerability.
Files outside the /admin/ directory could not be accessed, but key files like the widely known /WEB-INF/web.xml were retrievable, exposing sensitive information.
During further exploration, the researchers stumbled upon an /incident-report endpoint.
Accessing it triggered the download of real-time log files, which contained critical details, including old and current admin credentials.
Using the valid credentials (admin:Glglgl123), the researchers gained full access to the admin dashboard.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The turning point came when the team explored a feature called export_step2.xhtml within the admin panel.
This feature hosted a Groovy console, a tool typically used by developers for debugging and testing code.
However, when left improperly secured, such consoles can provide attackers with a gateway to execute arbitrary code on the system.
Upon receiving confirmation from the program owner to test for RCE, the researchers devised Groovy script payloads.
While their commands were executed successfully, there was no visible output—an unusual challenge.
At this juncture, they recalled the /incident-report endpoint and theorized that command outputs might be logged in real-time.
By downloading the latest log files, they confirmed their theory. The outputs of their commands, including sensitive system files such as /etc/passwd, were logged and retrievable, effectively completing the RCE exploit.
The team promptly reported their findings to the bug bounty program demonstrating ethical hacking best practices. At the request of the program owner, the findings were split into separate reports to maximize payouts, resulting in the team earning a combined reward of $40,000.
This case is another stellar example of how dedication and technical expertise can lead to significant rewards in the bug bounty field.
By combining a methodical approach with creative thinking, the researchers turned a series of vulnerabilities into a high-profile discovery, reinforcing the importance of cybersecurity vigilance.
“As always,” the researchers remarked, “treat every lead like an opportunity and push your limits responsibly. That’s how you turn $404 into $40,000.”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Zero Trust is a security framework that operates under the assumption that no implicit trust…
Orange Cyberdefense has announced the development of InvokeADCheck, a new PowerShell module designed to streamline…
Traffic Distribution Systems (TDS) have emerged as critical tools for both legitimate and malicious purposes,…
Cybercriminals are evolving their phishing methods, employing more sophisticated social engineering tactics to deceive their…
Trend Micro's Managed XDR team has recently investigated a sophisticated Business Email Compromise (BEC) attack…
Kudelski Security Research recently published an article detailing advanced methods for tracking and analyzing threat…