SECarius
Author Image

WebApp eating

© 2026 Sicarius.
Built with Hugo ❤️ hyde-hyde.

How I found an RCE seconds after its publication

Aug 21, 2025
rce profundis bugbounty
3 min read

Hello there!

This article is the first one of a (probable) series where I will share how the service I have released 2 months ago, https://profundis.io, helps me every day in my bug bounty journey.

This first article will cover the basics of the alerting feature that streams domains of my bugbounty targets in real-time, allowing me to stay updated on any changes within the monitored scopes. I will cover this subject with a nice bounty I got recently for an RCE discovered thanks to this alerting feature.

The setup

To get started with the alerts, I have created an alert looking like this:

Certificate alert setup

Certificate alert created

Then, using an SSE connector, I’m able to receive some domains where the detected certificate has a certificate organization field matching .*Super company AG.*. As the data going to the probe, then to the alert streams comes from multiple sources (including, but not limited to the live cert-stream), this means that any new certificate created for a domain will trigger an instant probing and be sent to the alert stream.

The bug

Everything came from the following alert I received on Discord:

discord alert

When I saw that alert, I immediately thought about n8n, and its setup process. If you don’t know what n8n is, it’s a workflow automation tool that allows you to connect different apps and services together to achieve anything you want. For example, you can use n8n as a way to receive profundis’s alerts.

N8n is a tool that I know and love, and I have used it extensively in the past, so when I saw this page, I couldn’t contain my excitement:

n8n panel

That’s right, what you see in this screenshot, that’s the setup panel of n8n right there. The developer just ran the recommended docker/docker compose environment few seconds ago, and it exposes the setup panel. It means that I could easily take control of the super-admin account for this n8n instance, just by setting up the account!

I just had to be quick enough to race the developer deploying this instance.

But I managed to do it: n8n claimed

Now, if you don’t know the capabilities of n8n, it’s a powerful tool that allows you to automate workflows between different services. In this case, I was able to leverage its capabilities to achieve remote code execution within the n8n docker by simply using the command execution node:

n8n RCE

Takeaways

Real-time alerts are crucial in bug bounty hunting, profundis offers a real-time alerting feature that helps you receive instant notifications about changes in your target domains/companies without having to process anything yourself.

In that specific case, getting an RCE within that specific n8n instance might not look like a big deal for some of you. However, the implications could be significant even in isolated environments:

  • N8n instances can be deployed with persistent secrets, accessible within the docker environment
  • Getting access to a shell, even within the docker can lead to privilege escalation and lateral movement within the host system depending on the configuration

Timeline

  • 29/07/2025 4:32 PM - Profundis Alert received on Discord
  • 29/07/2025 4:34 PM - N8N dashboard claimed
  • 29/07/2025 4:43 PM - Report sent
  • 30/07/2025 10:25 AM - Dashboard taken down
  • 31/07/2025 1:24 PM - $$$ Awarded :)
Using Microsoft SSO to Achieve Full Account Takeover
Hey there, Wanna talk about this article ? Hit me up on X :