• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T9-25–01–M–NE–CDFH

  • Apache OFBiz RCE + SU-Bruteforce

    This attack is a combination of T3-25-01-S-N-CD and T6-24-01-S-E-FH, and two logs are collected: pcap and log.

    1. Attacker identifies a vulnerable server and attempts a remote code execution(RCE) via CVE-2024-38856.
    2. After the successful exploitation, the attacker uses RCE to force the target to download payloads from attacker’s host.
    3. The attacker executes a remote SU brute-force script on the target and collects the output returned by the target server (attempting to gain root).

    The attacker leverages CVE-2024-38856 to download a malicious python script onto the target from an attacker-controlled host, then executes the SU-brute-force attack to attempt privilege excalation to root.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 Python 80 sec 200 sec
    Victim Ubuntu 22.04.1 192.168.56.110 Apache OFBiz v18.12.14

  • Installation
  • python3 -m venv venv
    .\venv\Scripts\Activate.ps1
    pip install -r requirements.txt

  • Usage
  • Make sure to run Terminal 1 before Terminal 2

    [Terminal 1]
    python3 -m http.server 8888

    [Terminal 2]
    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T9_{time}.log # YYmmdd_HHMMSS
    ./log/2025_01_T9_{time}.pcap # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2024-38856]
    [2] SecureLayer7 [CVE-2024-38856 – Apache Ofbiz RCE]
    [3] Github – securelayer7 [CVE-2024-38856_Scanner]
    [4] Zscaler Blog [CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz]
    [5] MITRE [Brute Force: Password Guessing]
    [6] MITRE [Privilege Escalation]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.