Target from: CVE Network

Advanced, Rootable

CVE-2018-11776 / 0.0.0.0

5: Flags (other, 2:system, env, root)
2: Services
1,500 pts

A direct implementation of the CVE-2018-11776 for Apache Struts 2.3.34/2.5.16
43%

Level 9 / Junior PenTester

R4V3N / 197th Place

1: Flags found
2: Services discovered
100 pts

Euh !

This is a target with direct implementation of the CVE-2018-11776 for Apache Struts 2.3.34/2.5.16 and is here to assist in developing exploits for this vulnerability.

Description

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin).

Environment details

The system is accessible at 10.0.200.169 and runs Apache Tomcat on port 8080/tcp.

JMX Service at on port 8009/tcp.

Flags can be found at:

  • /root/ETSCTF
  • /etc/passwd gecos
  • /etc/shadow password hash
  • env variable
  • http://10.0.200.169:8080/ETSCTF.html url which is also available under /usr/local/tomcat/webapps/ROOT/ETSCTF.html

NOTE: The target IS exploitable, you just need to try harder!!

References

19 Headshots (newer first)

M4sk0ff, Dych0t0m0us, AshBorn77, kobbycber, jaxafed, PufferOverflow, Muzec, Grosik, JDgodd, ElleuchX1, hacker, Pegasus, biba22, sn1per, r0b0tG4nG, TheCyberGeek, AKMalware, abosaif, hitmanalharbi

Activity Stream

Latest activity on the platform

R4V3N Discovered the hidden resource of a web server for 100 points, 38 months ago
R4V3N Discovered a web service, 38 months ago
R4V3N Discovered a JMX service, 38 months ago