Apache Struts with CVE-2017-5638 - set up a vulnerable server
-
Friday, 22 September 2017
No Comments
Apache Struts is a popular server-side Java-based framework used to make web applications. First we'll set up a vulnerable server, and then exploit it with Metasploit.
Step1: Installing Java
Install Oracle Java JDK 8 On your host system, in a Web browser, go here: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Download jdk-8u144-linux-x64.tar.gz copy to /mnt Folder
cd /tmp
tar -xvf jdk-8u144-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm
sudo mv ./jdk1.8.0* /usr/lib/jvm/
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1
sudo chmod a+x /usr/bin/java
sudo chmod a+x /usr/bin/javac
sudo chmod a+x /usr/bin/javaws
sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144
sudo update-alternatives --config java
sudo update-alternatives --config javac
sudo update-alternatives --config javaws
If you see "nothing to configure" that's OK.
java -version
Step2: Installing Tomcat
Ubuntu server, execute these commands:
cd /tmp
wget http://apache.mirrors.hoobly.com/tomcat/tomcat-9/v9.0.0.M26/bin/apache-tomcat-9.0.0.M26.tar.gz
tar xvzf apache-tomcat-9.0.0.M26.tar.gz
sudo mkdir /usr/local/tomcat
sudo mv apache-tomcat-9.0.0.M26/* /usr/local/tomcat
Ubuntu server, execute these commands:
cd
nano .bashrcAdd this line to the bottom of the file, as shown below.
export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrcUbuntu server, execute this command to start Tomcat:
/usr/local/tomcat/bin/startup.shTomcat starts
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://System_IP:8080/
You see an Apache Tomcat page.
Step3: Install unzip
Ubuntu server, execute these commands:
sudo apt update
sudo apt install unzip
Step4: Install Struts2 (Old, Vulnerable Version)
Ubuntu server, execute these commands:
cd
wget http://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip
unzip struts-2.5.10-all.zip
mv struts-2.5.10 struts2
Step5: Install Maven
Ubuntu server, execute these commands:
cd /tmp
wget http://mirror.metrocast.net/apache/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.tar.gz
sudo tar xvzf apache-maven*.tar.gz -C /opt/
cd
nano .bashrc
Add this line to the bottom of the file, as shown below.
export PATH=$PATH:/opt/apache-maven-3.5.0/bin
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrc
In the SSH session controlling your Ubuntu server, execute this command:
mvn -version
You see a version number
Step5: Creating a Project
Ubuntu server, execute these commands:
cd
mvn archetype:generate \
-DgroupId=com.tutorialforlinux \
-DartifactId=myWebApp \
-DarchetypeArtifactId=maven-archetype-webapp
Many pages of "Downloading" messages scroll by.
When you see the message: "Define value for property 'version' 1.0-SNAPSHOT: :", press Enter.
When you see the message: "Y: :", press Enter.
You see a "BUILD SUCCESS" message
Ubuntu server, execute these commands:
cd myWebApp
nano pom.xml
The file opens, as shown below. This is an XML configuration file.
At the bottom of the file, in the "build" section, change myWebApp to basic_struts,
<build>
<finalName>basic_struts</finalName>
</build>
At the bottom of the file, in the "dependencies" section, add a new "dependency" section, Include in the <dependencies> Section:
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.5.10</version>
</dependency>
Save the file with Ctrl+X, Y, Enter.
To make your web app,Ubuntu server, execute this command:
mvn clean package
Many pages of "Downloading" messages scroll by, ending with a green "BUILD SUCCESS" message
This has created a "war" file, ready to deploy, at this location:
~/myWebApp/target/basic_struts.war
However, we don't actually need that application. We'll deploy a different one later.
Step6: Comfiguring Web-Based Deployment
Ubuntu server, execute these commands:
cd
nano .bashrc
Add this line to the bottom of the file, as shown below.
export CATALINA_HOME=/usr/local/tomcat
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrc
Now we need to adjust the tomcat configuration to allow administration from remote addresses.
Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/tomcat-users.xml
The "tomcat-users" section contain only comments,
Insert these lines into the "tomcat-users" section,
<role rolename="manager-gui" />
<user username="admin" password="admin" roles="manager-gui"/>
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/Catalina/localhost/manager.xml
Insert these lines into the file, as shown below.
<Context privileged="true" antiResourceLocking="false"
docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute these commands to restart Tomcat. It may take a few minutes to shut down the first time--that's OK.
sudo $CATALINA_HOME/bin/shutdown.sh
sudo $CATALINA_HOME/bin/startup.sh
Tomcat restarts,
Spep 7: Opening the Web-Based Administration Page
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://IP:8080/manager
A box pops up asking for credentials. Enter these credentials:
Username: admin
Password: admin
In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section
Step 8: Downloading a Vulnerable Web App
On your host system, in a Web browser, go to:
https://github.com/nixawk/labs/blob/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war
On the right side, click the Download button.
You get a file named struts2_2.3.15.1-showcase.war
Step9: Deploying the Vulnerable Web App
In the "Tomcat Web Application Manager" page, in the "Deploy" section, in the "WAR file to deploy" section, click the "Choose File" button.
Navigate to your Downloads folder and double-click the struts2_2.3.15.1-showcase.war file.
Click the Deploy button.
The Tomcat page now shows the /struts2_2.3.15.1-showcase application at the bottom of the Applications section, as shown below
Click /struts2_2.3.15.1-showcase.
The "Struts2 Showcase" page appears, as shown below.
Step1: Installing Java
Install Oracle Java JDK 8 On your host system, in a Web browser, go here: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Download jdk-8u144-linux-x64.tar.gz copy to /mnt Folder
cd /tmp
tar -xvf jdk-8u144-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm
sudo mv ./jdk1.8.0* /usr/lib/jvm/
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1
sudo chmod a+x /usr/bin/java
sudo chmod a+x /usr/bin/javac
sudo chmod a+x /usr/bin/javaws
sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144
sudo update-alternatives --config java
sudo update-alternatives --config javac
sudo update-alternatives --config javaws
If you see "nothing to configure" that's OK.
java -version
Step2: Installing Tomcat
Ubuntu server, execute these commands:
cd /tmp
wget http://apache.mirrors.hoobly.com/tomcat/tomcat-9/v9.0.0.M26/bin/apache-tomcat-9.0.0.M26.tar.gz
tar xvzf apache-tomcat-9.0.0.M26.tar.gz
sudo mkdir /usr/local/tomcat
sudo mv apache-tomcat-9.0.0.M26/* /usr/local/tomcat
Ubuntu server, execute these commands:
cd
nano .bashrcAdd this line to the bottom of the file, as shown below.
export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrcUbuntu server, execute this command to start Tomcat:
/usr/local/tomcat/bin/startup.shTomcat starts
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://System_IP:8080/
You see an Apache Tomcat page.
Step3: Install unzip
Ubuntu server, execute these commands:
sudo apt update
sudo apt install unzip
Step4: Install Struts2 (Old, Vulnerable Version)
Ubuntu server, execute these commands:
cd
wget http://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip
unzip struts-2.5.10-all.zip
mv struts-2.5.10 struts2
Step5: Install Maven
Ubuntu server, execute these commands:
cd /tmp
wget http://mirror.metrocast.net/apache/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.tar.gz
sudo tar xvzf apache-maven*.tar.gz -C /opt/
cd
nano .bashrc
Add this line to the bottom of the file, as shown below.
export PATH=$PATH:/opt/apache-maven-3.5.0/bin
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrc
In the SSH session controlling your Ubuntu server, execute this command:
mvn -version
You see a version number
Step5: Creating a Project
Ubuntu server, execute these commands:
cd
mvn archetype:generate \
-DgroupId=com.tutorialforlinux \
-DartifactId=myWebApp \
-DarchetypeArtifactId=maven-archetype-webapp
Many pages of "Downloading" messages scroll by.
When you see the message: "Define value for property 'version' 1.0-SNAPSHOT: :", press Enter.
When you see the message: "Y: :", press Enter.
You see a "BUILD SUCCESS" message
Ubuntu server, execute these commands:
cd myWebApp
nano pom.xml
The file opens, as shown below. This is an XML configuration file.
At the bottom of the file, in the "build" section, change myWebApp to basic_struts,
<build>
<finalName>basic_struts</finalName>
</build>
At the bottom of the file, in the "dependencies" section, add a new "dependency" section, Include in the <dependencies> Section:
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.5.10</version>
</dependency>
Save the file with Ctrl+X, Y, Enter.
To make your web app,Ubuntu server, execute this command:
mvn clean package
Many pages of "Downloading" messages scroll by, ending with a green "BUILD SUCCESS" message
This has created a "war" file, ready to deploy, at this location:
~/myWebApp/target/basic_struts.war
However, we don't actually need that application. We'll deploy a different one later.
Step6: Comfiguring Web-Based Deployment
Ubuntu server, execute these commands:
cd
nano .bashrc
Add this line to the bottom of the file, as shown below.
export CATALINA_HOME=/usr/local/tomcat
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
source .bashrc
Now we need to adjust the tomcat configuration to allow administration from remote addresses.
Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/tomcat-users.xml
The "tomcat-users" section contain only comments,
Insert these lines into the "tomcat-users" section,
<role rolename="manager-gui" />
<user username="admin" password="admin" roles="manager-gui"/>
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command:
sudo nano $CATALINA_HOME/conf/Catalina/localhost/manager.xml
Insert these lines into the file, as shown below.
<Context privileged="true" antiResourceLocking="false"
docBase="${catalina.home}/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
</Context>
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute these commands to restart Tomcat. It may take a few minutes to shut down the first time--that's OK.
sudo $CATALINA_HOME/bin/shutdown.sh
sudo $CATALINA_HOME/bin/startup.sh
Tomcat restarts,
Spep 7: Opening the Web-Based Administration Page
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://IP:8080/manager
A box pops up asking for credentials. Enter these credentials:
Username: admin
Password: admin
In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section
Step 8: Downloading a Vulnerable Web App
On your host system, in a Web browser, go to:
https://github.com/nixawk/labs/blob/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war
On the right side, click the Download button.
You get a file named struts2_2.3.15.1-showcase.war
Step9: Deploying the Vulnerable Web App
In the "Tomcat Web Application Manager" page, in the "Deploy" section, in the "WAR file to deploy" section, click the "Choose File" button.
Navigate to your Downloads folder and double-click the struts2_2.3.15.1-showcase.war file.
Click the Deploy button.
The Tomcat page now shows the /struts2_2.3.15.1-showcase application at the bottom of the Applications section, as shown below
Click /struts2_2.3.15.1-showcase.
The "Struts2 Showcase" page appears, as shown below.