How I found my first RCE?


Hello everyone, this is a story of how I found my first RCE on a bug bounty program.
This is a private program and doesn't allow disclosure so let us assume that our target is redacted.com. This is a wide scope target. So, after running my subdomain enumeration scripts I passed the subdomains into httpx to get live subdomains.
I had over 14k unique targets after probing. At this point, I was searching for keywords like internal, staging, stg, developer, admin, etc.
While testing these interesting domains manually, I also ran the nuclei technologies template on the live subdomains to see what technologies the target was using. Upon running this and parsing the output, I found out that one of the subdomains let us say 'vuln.redacted.com' was using Oracle WebLogic.
I knew there were CVEs for weblogic. I ran the CVE templates from nuclei on 'vuln.redacted.com'. As I was expecting nuclei detected CVE-2017-10271 on 'vuln.redacted.com'.
Vulnerable URL : https://vuln.redacted.com/wls-wsat/CoodinatorPortType

Exploiting CVE-2017-10271


In this section, we will be looking at how I exploited the and two mistakes I made while exploiting. One mistake was out of excitement of getting my first rce and other was a observational mistake.
At this point I stared googling for CVE-2017-10271 POC and also I have a poc from nuclei template.
Let's now look at steps to exploit CVE.
I intecepted the request in burp which looks like this.

Without any second thoughts I attached payload to the get request and forwarded it.

Ofcourse the exploit did not work, I was supposed to make a POST request but instead out of excitement, I made a GET request.Realising my mistakes soon I change the request method to POST and send the below request.

This should work right? NO , it did not. The server threw the below error this time.

What is the issue this time?
The Content-Type entity header is used to indicate the media type of the resource.
We are playing with xml data but if we notice carefully Content-Type is set to application/x-www-form-urlencoded. For our exploit to work we need to set it to text/xml.
The final error free POST request using which I could exploit the vulnerability is

On sending above request, the response came with a delay of approx 12 seconds which proved I had java code execution.
Then I used the below paylaod from nuclei template to read /etc/passwd of remote server

This is the story of my first remote execution and hope you learn from the mistakes I made which could have cost me my first rce.
Hope you enjoyed reading this and if you have any suggestions related to this or want to discuss with me about some security related stuff feel free to contact me. HOME has my contact information.
HAPPY LEARNING and HAPPY HACKING !!!.