From LaTeX Injection to RCE: A Real Bug Bounty Case

Hello Friends

It’s been two months since I took a break from bug bounty hunting. During that time, I graduated from university 🎓, recharged, and now I’m officially back in the game. And guess what? Within just a few days of returning, I landed a critical find, a Remote Code Execution (RCE) vulnerability.

So, let’s start with the story. I was going through my private list of programs on HackerOne, and one caught my attention. it was a big program with several *.domains.com assets. I decided to dig into that one.

First things first, I ran subfinder to enumerate all the subdomains. While that was running in the background, I switched to some Google dorking, using queries like site:*.site.com to find subdomains.

As I checked through them one by one, I noticed one of the subdomains was running LaTeX. That immediately piqued my curiosity. For those unfamiliar, LaTeX (pronounced “Lay-tech”) is a document preparation system widely used for creating professional-quality documents, especially those containing mathematical formulas, scientific notation, and complex layouts.

To be honest, I remembered watching a video from IppSec where he was pwning the Topology box on Hack The Box. In that video, he got a shell through a LaTeX instance. Most of what I did here came from what I learned in that video. When I saw the setup, it felt very similar to that box, so I knew I was on the right path.

While searching online, I came across this GitHub repo. I tried injecting a simple payload like
\input{/etc/passwd}, but the application threw an error. So, I went back to the IppSec video, where he talked about a clever bypass, using a unique alternative encoding with double carets (^^) to replace letters. I changed the payload to \in^^70ut{/etc/passwd} and, to my excitement, it worked! The app processed it without error, confirming that the bypass was effective.

As you can see, the original payload caused an error, but when I used the ^^70 bypass, it worked perfectly.

Then, I recorded a video proof-of-concept and submitted my report. Unfortunately, the report was later closed as an internal duplicate, and I did not receive any excerpt from the original report.

I’m continuing to follow up on the case — the triager has been very responsive and professional. I’ve also submitted a mediation request, so now it’s a waiting game to see whether this will result in a reward.

I hope you have learned something new, I am thankfull of ippsec vids, he is an amazing hacker, i suggest you following his YouTube channel.

Be happy, Be nice :)

Follow me on X, and LinkedIn

Resources:

Following links might be helpful:

1. https://0day.work/hacking-with-latex/

2. https://tex.stackexchange.com/questions/262625/security-latex-injection-hack

3. http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/