Welcome to another Honeypot tutorial!

Taking a break from my OSCP studies, I came accross the new Oracle vulnerability.

As most cyber security people know, CVE-2018-2628 was released for Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3).

The POC exploit code was release as well, located at this github https://github.com/brianwrf/CVE-2018-2628, props to the POC hax0r!.

Currently there are security articles out saying hackers are scanning the internet for vulnerable servers and port 7001, so why dont we fireup a honeypot and check out what the hackers are doing?

Below is a quick bash script of the install I used.

This honeypot was made on Vultr 14.04 64bit 4gig VPS

We will need java on ubuntu located here http://ethicalredteam.com/jdk-6u45-linux-x64.bin and the vulnerable oracle server, located here http://ethicalredteam.com/wls1036_generic.jar (10.3.6.0)

#https://redstack.wordpress.com/2010/05/20/installing-weblogic-server-10-3-3-on-ubuntu-64-bit/

#select TYPICAL install

#Vultr 14.04 64bit 4gig VPS

apt-get -y update && apt-get -y install lubuntu-desktop

cd /root

mkdir oraclehp

cd oraclehp

wget http://ethicalredteam.com/jdk-6u45-linux-x64.bin

wget http://ethicalredteam.com/wls1036_generic.jar

sh jdk-6u45-linux-x64.bin

apt-get -y install wireshark

reboot

#After reboot then do the rest of install with GUI.

#/root/oraclehp/jdk1.6.0_45/bin/java -jar wls1036_generic.jar

#launch Weblogic

#bash /root/Oracle/Middleware/user_projects/domains/base_domain/startWebLogic.sh

#verify running with netstat -atnp , port 7001 should show open

We are going to run and installer and choose default for everything. I ran everything as root (no judgements please) as this is just a honeypot. You can configure user groups and all that fun stuff if you'd like.

Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face
Smiley face

We'll lauch a nmap at the server to confirm the ports open as well as use netstat.

Smiley face
Smiley face
We will fire off the POC exploit just to confirm our oracle honeypots do have code execution on them

https://github.com/brianwrf/CVE-2018-2628 Smiley face

Awsome, so what did we catch so far? Well so far we can see some IP's nmaping us looking for port 7001 open. Currently I do not see any logs of attackers trying to RCE the honeypot but in due time I'm sure it will happen. Smiley face
We can see China being the number one scan culprit, go figure! :D

Smiley face

Smiley face

Link to download the pcap is here

That is about the basic setup for now! This was just a quick tutorial to get a honeypot up.Currently I have 4 honeypots in different countries and will monitor them for awhile.

I will update this thread when I find any new interesting things happening on the honeypots. Until then its back to the OSCP labs.

Enjoy!

https://thehackernews.com/2018/04/oracle-weblogic-rce-exploit.html