• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T8-25–01–M–NE–CLFH

  • Apache Struts 2 Path Traversal RCE + LaZagne (post-exploitation password recovery tool)

    This attack is a combination of T2-25-01-S-N-CL and T4-25-01-S-E-FH, and two logs are collected: pcap and log.

    1. Attacker uploads webshell.jsp, a crafted struts.xml to bypass the upload-size restriction, and a LaZagne executable to exfiltrate stored passwords from the system.
    2. The attacker uses the webshell to grant execute permission to the LaZagne executable.
    3. The attacker runs LaZagne and collects the command output returned by the target.

    Attacker leverages CVE-2023-50164 to upload a webshell and post-exploit payloads (including LaZagne), uses RCE to fetch/permission the payloads, and executes LaZagne to extract stored credentials.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 LaZagne 30 sec 120 sec
    Victim (docker) Ubuntu 22.04.1 172.17.0.2 Apache Struts 2

  • Installation
  • python3 -m venv venv
    .\venv\Scripts\Activate.ps1
    pip install -r requirements.txt

  • Usage
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T8_{time}.log # YYmmdd_HHMMSS
    ./log/2025_01_T8_{time}.pcap # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2023-50164]
    [2] vsociety_ [Apache Struts RCE (CVE-2023-50164) - PoC + exploit]
    [3] Github – jakabakos [CVE-2023-50164-Apache-Struts-RCE]
    [4] MITRE [LaZagne]
    [5] Github - AlessandroZ [LaZagne]
    [6] TRENDmicro [Decoding CVE-2023-50164: Unveiling the Apache Struts File Upload Exploit]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.