We’ve all been there — staring at what seems like a dead-end vulnerability, wondering if it’s even worth reporting. I almost made that mistake too, until one “low-risk” finding unexpectedly turned into my biggest bounty yet. Here’s the full breakdown of how persistence and creative thinking turned a simple path traversal into remote code execution.
It began with what most would consider a dead end:
http://admin.target.com:8443/admin/Download A blank page with a 200 status code. Most scanners would mark this as “nothing here” and move on. But in security research, empty responses often hide the most interesting secrets.
After parameter testing, I discovered:
http://admin.target.com:8443/admin/Download?filename=/js/main.js This returned the actual JavaScript file — confirming Local File Inclusion (LFI). The limitations seemed frustrating at first:
- Only accessible within
/admin/directory