webPromedium

Lab 319 — PageForge — Chained Path Traversal to RCE via Asset Bundler

hackadvisor

Task: Express.js CMS with asset bundler path traversal, config file secrets disclosure, and node-serialize deserialization RCE. Solution: 3-step chain — absolute path traversal with URL fragment extension bypass reads server source and secrets, then HMAC-signed node-serialize IIFE payload achieves RCE via admin import endpoint.

$ ls tags/ techniques/

rce path_traversal nodejs ejs information_disclosure nginx express deserialization hmac cms honeypot_flag node_serialize vulnerability_chaining api_key_leak config_leak asset_bundler

absolute_path_traversal_bypassurl_fragment_extension_whitelist_bypassconfig_file_secrets_extractionnode_serialize_unserialize_rceiife_deserialization_gadgethmac_signed_payload_craftingmulti_stage_vulnerability_chain

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 209 — BuildForge — Path Traversal in Static File Serving— hackadvisor
[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor