RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

Remote Code Execution (RCE)

I first got to this subdomain via the usual subdomain enumeration. It looked unpromising: a 404 page that said “this website is not in use,” a little picture, and nothing else. Running path discovery for the usual pages turned up nothing, not even a useful robots.txt. However, I took a closer look at the footer.