News Ticker

Apache Struts with CVE-2017-5638 - set up a vulnerable server

By Unknown - Friday, 22 September 2017 No Comments
Apache Struts is a popular server-side Java-based framework used to make web applications. First we'll set up a vulnerable server, and then exploit it with Metasploit.

Step1: Installing Java
Install Oracle Java JDK 8 On your host system, in a Web browser, go here: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Download jdk-8u144-linux-x64.tar.gz copy to /mnt Folder
cd /tmp
tar -xvf jdk-8u144-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm

    sudo mv ./jdk1.8.0* /usr/lib/jvm/
    sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1
    sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1
    sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1
    sudo chmod a+x /usr/bin/java
    sudo chmod a+x /usr/bin/javac
    sudo chmod a+x /usr/bin/javaws
    sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144
    sudo update-alternatives --config java
    sudo update-alternatives --config javac
    sudo update-alternatives --config javaws


If you see "nothing to configure" that's OK.
java -version

Step2: Installing Tomcat
 Ubuntu server, execute these commands:
    cd /tmp
    wget http://apache.mirrors.hoobly.com/tomcat/tomcat-9/v9.0.0.M26/bin/apache-tomcat-9.0.0.M26.tar.gz
    tar xvzf apache-tomcat-9.0.0.M26.tar.gz
    sudo mkdir /usr/local/tomcat
    sudo mv apache-tomcat-9.0.0.M26/* /usr/local/tomcat

Ubuntu server, execute these commands:
    cd
    nano .bashrc
Add this line to the bottom of the file, as shown below.
    export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144
Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrc
Ubuntu server, execute this command to start Tomcat:
    /usr/local/tomcat/bin/startup.sh
Tomcat starts
 On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://System_IP:8080/
You see an Apache Tomcat page.

Step3: Install unzip
Ubuntu server, execute these commands:
    sudo apt update
    sudo apt install unzip

 
Step4: Install Struts2 (Old, Vulnerable Version)
Ubuntu server, execute these commands:
    cd
    wget http://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip
    unzip struts-2.5.10-all.zip
    mv struts-2.5.10 struts2

 
Step5: Install Maven
 Ubuntu server, execute these commands:
    cd /tmp
    wget http://mirror.metrocast.net/apache/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.tar.gz
    sudo tar xvzf apache-maven*.tar.gz -C /opt/
    cd
    nano .bashrc

Add this line to the bottom of the file, as shown below.
    export PATH=$PATH:/opt/apache-maven-3.5.0/bin
 Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrc
In the SSH session controlling your Ubuntu server, execute this command:
    mvn -version
You see a version number
Step5: Creating a Project
 Ubuntu server, execute these commands:
    cd
    mvn archetype:generate \
     -DgroupId=com.tutorialforlinux \
     -DartifactId=myWebApp \
     -DarchetypeArtifactId=maven-archetype-webapp

Many pages of "Downloading" messages scroll by.
When you see the message: "Define value for property 'version' 1.0-SNAPSHOT: :", press Enter.
When you see the message: "Y: :", press Enter.
You see a "BUILD SUCCESS" message

Ubuntu server, execute these commands:
    cd myWebApp
    nano pom.xml

The file opens, as shown below. This is an XML configuration file.
 At the bottom of the file, in the "build" section, change myWebApp to basic_struts,
    <build>
      <finalName>basic_struts</finalName>
    </build>
 At the bottom of the file, in the "dependencies" section, add a new "dependency" section, Include in the <dependencies> Section:

    <dependency>
      <groupId>org.apache.struts</groupId>
      <artifactId>struts2-core</artifactId>
      <version>2.5.10</version>
    </dependency>
 Save the file with Ctrl+X, Y, Enter.

To make your web app,Ubuntu server, execute this command:
    mvn clean package
Many pages of "Downloading" messages scroll by, ending with a green "BUILD SUCCESS" message
 This has created a "war" file, ready to deploy, at this location:
~/myWebApp/target/basic_struts.war
However, we don't actually need that application. We'll deploy a different one later.

Step6: Comfiguring Web-Based Deployment
Ubuntu server, execute these commands:
    cd
    nano .bashrc


Add this line to the bottom of the file, as shown below.
    export CATALINA_HOME=/usr/local/tomcat

Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrc
Now we need to adjust the tomcat configuration to allow administration from remote addresses.
 Ubuntu server, execute this command:
    sudo nano $CATALINA_HOME/conf/tomcat-users.xml
The "tomcat-users" section contain only comments,
 Insert these lines into the "tomcat-users" section,
    <role rolename="manager-gui" />
     <user username="admin" password="admin" roles="manager-gui"/>

Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command:
    sudo nano $CATALINA_HOME/conf/Catalina/localhost/manager.xml

Insert these lines into the file, as shown below.

    <Context privileged="true" antiResourceLocking="false"
             docBase="${catalina.home}/webapps/manager">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
    </Context>
 Save the file with Ctrl+X, Y, Enter.
 Ubuntu server, execute these commands to restart Tomcat. It may take a few minutes to shut down the first time--that's OK.
    sudo $CATALINA_HOME/bin/shutdown.sh
    sudo $CATALINA_HOME/bin/startup.sh

Tomcat restarts,

Spep 7: Opening the Web-Based Administration Page
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.

http://IP:8080/manager
A box pops up asking for credentials. Enter these credentials:
Username: admin
Password: admin

In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section

Step 8: Downloading a Vulnerable Web App
On your host system, in a Web browser, go to:
https://github.com/nixawk/labs/blob/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war

On the right side, click the Download button.
You get a file named struts2_2.3.15.1-showcase.war

Step9: Deploying the Vulnerable Web App
In the "Tomcat Web Application Manager" page, in the "Deploy" section, in the "WAR file to deploy" section, click the "Choose File" button.

Navigate to your Downloads folder and double-click the struts2_2.3.15.1-showcase.war file.

Click the Deploy button.

The Tomcat page now shows the /struts2_2.3.15.1-showcase application at the bottom of the Applications section, as shown below
 Click /struts2_2.3.15.1-showcase.
The "Struts2 Showcase" page appears, as shown below.

No Comment to " Apache Struts with CVE-2017-5638 - set up a vulnerable server "