webPromedium

Lab 364 — PulseRelay — Path Traversal to RCE via Plugin Upload

hackadvisor

Task: Enterprise messaging platform (PulseRelay) on Jetty with plugin management and broken access control on user creation. Solution: Escalate privileges by creating admin user via unprotected endpoint, then upload JAR containing JSP webshell via plugin system for RCE.

$ ls tags/ techniques/

rce file_upload privilege_escalation broken_access_control jsp honeypot_flag jetty jar_upload plugin_system auto_deploy

csrf_token_extractionhoneypot_flag_identificationbroken_access_control_role_assignmentprivilege_escalation_via_user_creationjsp_webshell_in_jar_uploadjetty_plugin_auto_deploy_rce

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]PathRelay — Limited Path Traversal to RCE— hackadvisor
[web][Pro]DecisionForge— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][Pro]Lab 247 — PulseGuard — SSTI in Webhook Notification Templates— hackadvisor