NSA Codebreaker 2017, Overview

NSA Codebreaker 2017, Overview

Each year NSA puts out a challenge called Codebreaker that requires reverse engineering and exploitation skills. This year it was designed to take the players through some of the phases you might take if you found someone on your network. There were six tasks each one building on the previous and requiring different skills. There were 1098 participants and only three were able to complete all six tasks. I was able to complete five tasks, along with 2.2% of participants.

Jonathan Armer




AhMyth Android Rat

Beta Version
It consists of two parts :
  • Server side : desktop application based on electron framework (control panel)
  • Client side : android application (backdoor)

Getting Started

You have two options to install it

1) From source code

Prerequisite :
  • Electron (to start the app)
  • Java (to generate apk backdoor)
  • Electron-builder and electron-packer (to build binaries for (OSX,WINDOWS,LINUX))
  1. git clone https://github.com/AhMyth/AhMyth-Android-RAT.git
  2. cd AhMyth-Android-RAT/AhMyth-Server
  3. npm start

2) From binaries

Prerequisite :


Rancher Server Docker Exploit

Utilizing Rancher Server, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. The Docker image should exist on the target system or be a valid image from hub.docker.com. Use `check` with verbose mode to get a list of exploitable Rancher Hosts managed by the target system.



Vulnerabilidad RCE en Tomcat (CVE-2017-12617): HTTP PUT + bypass jsp upload

El equipo de Apache Tomcat anunció que todas las versiones de Tomcat anteriores a la 9.0.1 (Beta), 8.5.23, 8.0.47 y 7.0.82 en todos los sistemas operativos contienen una vulnerabilidad de ejecución remota de código (RCE) si el servlet por defecto y/o el servlet WebDAV se configura con el parámetro readonly a false.



Para comprobar si un servidor es vulnerable sólo hay que chequear el init-param en el fichero web.xml correspondiente:


An exploit for Apache Struts CVE-2017-5638


An exploit for Apache Struts CVE-2017-5638


Testing a single URL.

python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'

Testing a list of URLs.

python struts-pwn.py --list 'urls.txt' -c 'id'

Checking if the vulnerability exists against a single URL.

python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'

Checking if the vulnerability exists against a list of URLs.

python struts-pwn.py --check --list 'urls.txt'


  • Python2 or Python3
  • requests

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.


The project is licensed under MIT License.


Mazin Ahmed

Automated Pentest Recon Scanner

Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.