webPromedium
Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion
hackadvisor
Task: CI/CD platform with CLI endpoint using args4j expandAtFiles, allowing @-prefixed args to read server files. Solution: chain arbitrary file read to leak JWT signing key, forge admin token, execute shell commands via /api/admin/script.
$ ls tags/ techniques/
args4j_atfile_expansionarbitrary_file_read_via_cli_parsingjwt_token_forgery_with_leaked_keyserver_side_script_execution
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
- [web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
- [web][Pro]Lab 209 — BuildForge — Path Traversal in Static File Serving— hackadvisor
- [web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
- [web][Pro]Lab 300 — PlanForge — Broken Authentication via Hidden Trial Activation— hackadvisor