webPromedium

Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE

hackadvisor

Task: CI/CD platform with unauthenticated webhook endpoint that reads arbitrary files via user-controlled filepath parameter (weak path filter). Solution: 3-step chain — arbitrary file read to leak JWT secret from /app/data/.env.secrets, forge admin JWT token, then RCE via admin pipeline execution endpoint that passes commands to child_process.exec().

$ ls tags/ techniques/

command_injection docker rce path_traversal jwt nodejs hs256 arbitrary_file_read webhook alpine_linux express_js cicd decoy_flags child_process_exec

jwt_secret_extractionsource_code_disclosurearbitrary_file_read_via_webhookjwt_forgery_hs256admin_privilege_escalationrce_via_execpath_filter_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
[web][Pro]Lab 38 — PipelineForge — XXE in XML Pipeline Import— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
[web][Pro]Lab 12 — NewsGrid — JWT Algorithm Confusion— hackadvisor