Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • CVE-2017-5638
  • Using Metasploit

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber

Metasploit-a-ho-ho-ho

Exploiting Struts2 with Metasploit

PreviousRequestsNextElf Applications

Last updated 5 years ago

Was this helpful?

CVE-2017-5638

In this challenge we need to compromise a web server using Metasploit.

In the supporting material, they state that the web server is running a vulnerable version of Apache Struts 2.

A search on google takes us to the CVE-2017-5638.

There is also an nmap script that tells us if the web server is vulnerable to this exploit. The only parameters it needs besides the IP is the path. Navigating to the webpage we can see that the path is /showcase.action.

Running the nmap script confirmed that the web server is vulnerable to the CVE-2017-5638.

Using Metasploit

Search for struts2 on Metasploit showed us 7 exploit modules, and one of them is the same module used on the supporting material so we can guess that this is the right one to exploit the CVE-2017-5638.

Looking at the options of the exploit we see three things we need to set/change: the rhosts (the ip of the machine we intend to exploit); the rport (it is set to 8080 and the webserver is running on port 80); and the TARGETURI (as the default path that we need to change to the path displayed on the webpage).

Having everything setup for the exploit its time to select a payload to get a reverse-shell on the server. We will also use the same payload used in the support material linux/x86/meterpreter/reverse_tcp.

Looking at the options we see that we now need to set the lhost which is the IP of our attacker machine.

After setting the localhost wen type run or exploit to run the exploit and get a meterpreter shell.

Once inside the webserver we need to find the flag1. Meterpreter offers a lot of functionality, but it doesn't have the find command which is really useful right now, so we need to drop a shell by typing shell and use the find command to find flag1.

By typing exit we can exit the shell and come back to the meterpreter shell and read the flag.

The second question asks for the SSH password of Santa and tells us to get onto the main system.

By navigating to the root directory we can see that there is a .dockerenv file. This means we are not on the main system, but instead inside a docker container.

This has been mentioned on the supporting material also.

The first obvious place to look for is the /home directory, which has Santa's directory with his ssh credentials.

We can now SSH into the main system where we can find the text files to answer the last two questions.