webPromedium

PathRelay — Limited Path Traversal to RCE

hackadvisor

Task: Java/Tomcat admin panel with file download endpoint, WAF-protected path traversal, and hidden servlets. Solution: Webapp-relative path traversal to read WEB-INF/web.xml, discover hidden endpoints, extract credentials from incident report logs, authenticate to Groovy console for RCE, and exfiltrate flag via log files.

$ ls tags/ techniques/

multi_stage waf_bypass path_traversal java credential_leak admin_panel tomcat honeypot_flag groovy_rce jsf log_exfiltration incident_report webapp_relative_path

honeypot_flag_identificationwebapp_relative_path_traversalhidden_endpoint_discovery_via_web_xmlcredential_extraction_from_log_filesgroovy_script_console_rcelog_based_output_exfiltrationparameter_name_fuzzing

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 364 — PulseRelay — Path Traversal to RCE via Plugin Upload— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
[web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]DecisionForge— hackadvisor
[forensics][free]RedTrails— hackthebox