📌 Free Link

Hey everyone! What started as routine reconnaissance on a web application turned into a critical find: a Server-Side Template Injection (SSTI) that I escalated to Remote Code Execution (RCE). The reward? A cool $1000 wired straight to my PayPal. If you’re into bug hunting, this story might give you some inspiration for your next recon session.

The Target: A Feature-Rich Platform

The site in question is a versatile platform where users can create custom subdomains, manage customers, generate invoices, send emails, and even set up products for sale. It’s got way more functionality than meets the eye at first like a mini e-commerce and CRM rolled into one. Interestingly, this is the same site where I previously uncovered an XSS vulnerability.

(You can check out the writeup for that bug here.)

https://infosecwriteups.com/how-i-found-a-250-xss-bug-after-losing-hope-in-bug-bounty-8ab557df4d1d

After that XSS find, I decided to dig deeper. I spent time on thorough reconnaissance: enumerating endpoints, checking for common misconfigurations, and poking around every nook and cranny. I uncovered a few low-hanging fruits think minor issues like weak headers or info leaks, but nothing screamed “critical” yet. Patience is key in bug bounties, right?

The Discovery: Spotting SSTI in Email Templates