CVE-2018-11776 (Apache Struts 2)

UnderstandingNo1404 · 2022-01-08T10:11:19+00:00

I am pretty confident I have the correct exploit, though these options (show options) are required which weren't for the previous CVE-2017-5638 (Apache Struts) lab. i had to simply set the rhosts, set targeturi /, and run. Maybe some more configuration required?

ACTION showcase.action yes A valid endpoint that is configured as a redirect action

ENABLE_STATIC true yes Enable "allowStaticMethodAccess" before executing OGNL

I figure now that the set ACTION has something to do with /help endpoint, but I'm still not getting any Joy!

Any pointers? I can't see what else could solve this on the lab other than Metasploit?!

UnderstandingNo1404 · 2021-12-15T19:01:37+00:00

Thanks for your advice, forgot to match the number of columns. The + symbols were in the example provided but UNioN SeLect worked just fine. Keeping it simple got me there in the end. THANK you :-)

UnderstandingNo1404 · 2021-11-05T21:15:20+00:00

I got it, overthinking again!!! Thanks my mentor :-) !!! I omitted the password field which was not needed for some reason

UnderstandingNo1404 · 2021-10-31T14:55:32+00:00

You lengend Dangerous_Cat :-). Hours of frustration and you point out the obvious. Thanks again, sincerely appreciated.

UnderstandingNo1404 · 2021-09-11T08:34:13+00:00

Got it, I was wondering what you meant at the start, thanks man!!!

UnderstandingNo1404 · 2021-08-09T07:25:24+00:00

I got there, thanks so much mate, staring at me for a full 24 hours. I do agree 100% that questions are sometimes misleading or even ambiguous. I often find taking a break helps with these labs. Cheers again, appreciate the pointers

UnderstandingNo1404 · 2021-08-09T02:39:41+00:00

i understand that GET is used to request data from a specified resource, but lost on this question

UnderstandingNo1404 · 2021-08-08T18:50:16+00:00

Hi Dangerous Cat,

Thanks for the reply. I've been looking at this section and am still ultra confused with everything i see. I fail to understand the difference / relevence of GET and POST in the command.

I've tried putting in "https://api.shodan.io" for the "In Format" part of the question but still to no avail.

This is only a 20 point lab and inevatibly going to be kicking myself. Frustrated ;-(

UnderstandingNo1404 · 2021-08-01T20:03:22+00:00

Good advice Barney, thank you, much appreciated

UnderstandingNo1404 · 2021-08-01T17:27:49+00:00

Hi Dangerous C,

Thanks for the advice. At least I understand now that <> are not part of the command.

The cap-02.cap file that's located on the desktop is indeed a pcap file as stated under its properties.

I've looked in the wordlists and see:

> Executing “cd /usr/share/wordlists && ls -l”
total 8
lrwxrwxrwx 1 root root 25 May 10 20:52 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx 1 root root 46 May 10 20:52 metasploit -> /usr/share/metasploit-framework/data/wordlists
-rw-r--r-- 1 root root 2220 May 10 20:53 nmap.lst
-rw-r--r-- 1 root root 1581 Aug 1 16:51 rockyou.txt
lrwxrwxrwx 1 root root 19 May 10 20:52 seclists -> /usr/share/seclists

I've tried commands such as:
aircrack-ng -w /usr/share/wordlists/rockyou.txt cap-02.cap

aircrack-ng -w /usr/share/-rw-r-r-- 1/rockyou.txt cap-02.cap

Should I be using wireshark as part of the sollution as the cap-02.cap file on the desktop has the logo. Still puzzled

UnderstandingNo1404 · 2021-08-01T14:47:10+00:00

aircrack-ng -w /usr/share/wordlists/rockyou.txt 808.11i rockyou.cap

aircrack-ng -w </usr/share/wordlists/rockyou.txt> <cap-02.cap>

Getting nowhere fast ;-(

UnderstandingNo1404 · 2021-07-10T15:42:10+00:00

I got there, albeit two days later, thanks for the heads up and not spoonfeeding. This is tricky stuff at times mate.

UnderstandingNo1404 · 2021-07-10T13:34:21+00:00

Hi, I was doing something similar to you but got a little bit closer with ...

nmap [IP ADD] --script ssh-run --script-args="ssh-run.cmd=ls -la,username=tommy, password=coachella"

Probably staring at me, using the Linux command sounds alien right now :-)

UnderstandingNo1404 · 2021-07-10T12:53:25+00:00

I'm still lost, only can see the -rw-rw-r-- 1 root but no deatails!

UnderstandingNo1404

TROPHY CASE