Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that.I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system". I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab.Any directions/suggestions/hints would be greatly appreciated!Thanks in advance.J

Hello,Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.I will keep investigating, I think we are close :).

Hi SamDickison I haven't had time in the last few days... but yes, I hope to be able to complete this lab!.Best regards,

Hi!I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.Good luck!.[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd

Thanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).Have you had any additional success?

Hi Bluesman I've enumerated the commands that I believe are available in system32 thinking that maybe there was another that would be used to access file contents, but I don't think so...either a 500 error when they don't exist, a proper response, or response hangs, indicating to me that they are waiting for additional arguments.I have been in touch with support and they provided a parameter query, but it does not work, the entire cmd being passed just keeps being interpreted as the file to find, not a file with arguments. I will keep you posted on my progress.

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

11 Replies

Bluesman
Bronze III
2 months ago
Hi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd
- JWhit101
  Bronze II
  2 months ago
  Thanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
  Have you had any additional success?
  - Bluesman
    Bronze III
    2 months ago
    Hello,
    Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
    I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
    I will keep investigating, I think we are close :).
Bluesman
Bronze III
30 days ago
JWhit101
Hello,
Thanks for the advice!
I hope I'll have time next week to get back to that lab and finish it :).
Have a great weekend.

Best regards,
SamDickison
Community Manager
13 days ago
Bluesman and JWhit101, have you had any more success in completing the lab? It's great to see you helping each other on the forum!
- Bluesman
  Bronze III
  9 days ago
  Hi SamDickison
  I haven't had time in the last few days... but yes, I hope to be able to complete this lab!.
  Best regards,

Forum Discussion

Web App Hacking (Lab series): CVE-2022-2143 (iView2)

11 Replies

Featured Places

Help & Support Forum

Related Content

Web App Hacking (Lab series): CVE-2022-42889 (Text4Shell) – Offensive

CSM Tip: Have A Summer Series! Are YOU Taking Advantage Of Summer?

Re: APT29 Threat Hunting with Elasticsearch: Ep.5 – LNK File Analysis - Tools?

Historic Steganography Lab

Re: What is a "Demonstrate" Lab and how does it differ from other types of lab?

Recent Discussions

Hack Your First Web App: Ep.4 Missing Cookie

It seems correct answer is not accepted.

Help with Introduction to Python Scripting: Ep.7 – Demonstrate Your Skills

Privilege Escalation: Windows – Finding Passwords

Microsoft Defender for Cloud: Inventory, Resource Health and Recommendations.