015
EXH-0152017Fictional reconstruction
Content-Type
September 2017. Equifax announces 147 million consumer records exposed. The ingress was a patched-but-unapplied Struts bug, and nine digits of consequence.
Type
Defensive / IR
Difficulty
Intermediate
Era
2010s
Time
10 min
Briefing
Names, PCI zones, and PII are fake. The `%{(…)}` OGNL gadget grammar and the CVE number are real. Your job is log literacy, not exploitation.
Your role
IR lead in a tabletop based on the public Congressional report, proving the exploit string lived in logs.
Objective
Identify the malformed Content-Type associated with CVE-2017-5638 in a synthetic reverse-proxy log.
Terminal environment
- user
- ir
- host
- retro-struts
- cwd
- /reconstruction/equifax-shape
- steps
- 3
Enter the terminalAbout 10 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.