From LaTeX Injection to RCE: A Real Bug Bounty Case
Senior Student of Computer Science | 21 y/o Web Application Pentester My HackerOne Profile: https://hackerone.com/amir_shah
Hello Friends
It’s been two months since I took a break from bug bounty hunting. During that time, I graduated from university 🎓, recharged, and now I’m officially back in the game. And guess what? Within just a few days of returning, I landed a critical find, a Remote Code Execution (RCE) vulnerability.
So, let’s start with the story. I was going through my private list of programs on HackerOne, and one caught my attention. it was a big program with several *.domains.com assets. I decided to dig into that one.
First things first, I ran subfinder to enumerate all the subdomains. While that was running in the background, I switched to some Google dorking, using queries like site:*.site.com to find subdomains.
As I checked through them one by one, I noticed one of the subdomains was running LaTeX. That immediately piqued my curiosity. For those unfamiliar, LaTeX (pronounced “Lay-tech”) is a document preparation system widely used for creating professional-quality documents, especially those containing mathematical formulas, scientific notation, and complex layouts.
To be honest, I remembered watching a video from IppSec where he was pwning the Topology box on Hack The Box. In that video, he got a shell through a LaTeX instance. Most of what I did here came from what I learned in that video. When I saw the setup, it felt very similar to that box, so I knew I was on the right path.
While searching online, I came across this GitHub repo. I tried injecting a simple payload like\input{/etc/passwd}, but the application threw an error. So, I went back to the IppSec video, where he talked about a clever bypass, using a unique alternative encoding with double carets (^^) to replace letters. I changed the payload to \in^^70ut{/etc/passwd} and, to my excitement, it worked! The app processed it without error, confirming that the bypass was effective.
As you can see, the original payload caused an error, but when I used the ^^70 bypass, it worked perfectly.
Then, I recorded a video proof-of-concept and submitted my report. Unfortunately, the report was later closed as an internal duplicate, and I did not receive any excerpt from the original report.
I’m continuing to follow up on the case — the triager has been very responsive and professional. I’ve also submitted a mediation request, so now it’s a waiting game to see whether this will result in a reward.
I hope you have learned something new, I am thankfull of ippsec vids, he is an amazing hacker, i suggest you following his YouTube channel.
Be happy, Be nice :)
Resources:
Following links might be helpful:
