Tags: web rce 


We were given a link to a webserver running actuator.
I did some googling and found multiple vulnerabilities but nothing that could really get us RCE, on this particular instance, to get the flag.txt file contents.
Finally found this blog: https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
Using this payload, and modifying it to send a post request to an ngrok http server that I spun up, with the contents I received the flag file.

Note: the payload just writes a startup command. You must restart the server with a post request to actuator/restart to get the service to restart and run the command