Demo: Apache Struts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> I used to work in cyber threat intelligence
00:00
and I used to report to my customers,
00:00
hey, there's this big bad CVE here for Apache Struts.
00:00
You might want to look out for this.
00:00
Well, it's one thing to report on something,
00:00
it's another thing to show somebody the severity.
00:00
How bad can things get?
00:00
I've had dev teams change things,
00:00
remediate things because I've showed them a demo,
00:00
because actually seeing can be so much more impactful.
00:00
Let's see this Apache Struts CVE
00:00
that I've been talking about in the past lesson.
00:00
I'm doing a pen test, I come across this website here
00:00
running on port 8080, showcase JSP.
00:00
I have things like Wappalyzer that I
00:00
use to enumerate technologies.
00:00
I can see the programming language is Java,
00:00
Jquery library of 1.8.2.
00:00
I might want to check that and see if that's outdated
00:00
or has known vulnerabilities.
00:00
A UI framework of Bootstrap.
00:00
Now how can I tell what version of Struts it is?
00:00
I might have to look around the website.
00:00
There might be a configuration file,
00:00
I might have to do some research for.
00:00
There's also some tools I use like
00:00
WhatWeb that will enumerate the technology.
00:00
Like Wappalyzer, you can see the site here.
00:00
We have a 302 redirect to showcase action.
00:00
We can see here same jQuery library powered by Struts,
00:00
and we also have Struts to showcase,
00:00
Struts 2 being something
00:00
that we know that there might be a vulnerability for.
00:00
Now, Kali Linux,
00:00
there's Exploit DB that Kali has.
00:00
There's also something within
00:00
Kali Linux called searchsploit.
00:00
Searchsploit's the offline version of Exploit DB.
00:00
I could search searchsploit,
00:00
and I can look for something like Apache Struts.
00:00
I see a whole bunch of things come back.
00:00
Now, it's important for me to research
00:00
these and see if I
00:00
can figure out what version
00:00
of Apache Struts this might be running.
00:00
I did some research before this lesson,
00:00
and this Linux Web Apps 41570
00:00
Python Script is something that I researched that
00:00
looks like it may work in this case.
00:00
Now, how do I know if this works?
00:00
Well, I have to try it.
00:00
The other important thing is,
00:00
I know it comes from Exploit DB, so I trust it.
00:00
But that's to say that I should read
00:00
the underlying code and see if it's vulnerable.
00:00
Another thing that I might try to see for
00:00
enumeration is something like Nikto.
00:00
Using something like Nikto,
00:00
I could do Nikto,
00:00
H is for the host,
00:00
not help, and P is for port.
00:00
I can run a tool like this.
00:00
It's very verbose.
00:00
My friend Chris Sulla who
00:00
wrote that will tell you that himself.
00:00
But you can see here that this site is
00:00
vulnerable to strut shock.
00:00
Here's the CVE that we saw in the lesson.
00:00
There's the Mitre website.
00:00
Again, going back to searchsploit,
00:00
I see all this exploit code here.
00:00
I could try to look for strut shock
00:00
as it's called and see if that comes back with anything.
00:00
Again, I see there's
00:00
some meta split modules here that might be important.
00:00
But again, I check this script here, 41570,
00:00
if I want to download that directly,
00:00
I could do searchsploit,
00:00
tack M, Enter.
00:00
You can see here that I've
00:00
already downloaded this, but it will tell you about it.
00:00
It will say Apache Struts 2.3.5,
00:00
less than 2.3.31 to
00:00
less than 2.5.10 remote code execution.
00:00
We can overwrite that,
00:00
and now we have this script.
00:00
Like I said, it's important to actually read the code,
00:00
know what it's doing.
00:00
Make sure it's not malicious,
00:00
it's not going to cause any harm to you.
00:00
I read that. I've made sure that I know what it's doing.
00:00
I would suggest that you
00:00
research this and what's it doing yourself.
00:00
Since this isn't a Python class,
00:00
but I know this is running Python 2,
00:00
I'm going to use this Python script against the,
00:00
you can see down here that when you run this,
00:00
it will want you to print out the URL and the command.
00:00
The URL here, the command is,
00:00
I could do cat/etc/shadow
00:00
if I knew this was running as root.
00:00
But maybe a safer command run is whoami
00:00
since that will work on both Windows and Linux.
00:00
I see mroute, which would indicate
00:00
that this is probably a Linux box.
00:00
Then I can go to cat,
00:00
usually first cat/etc/passwd since
00:00
everyone can read that.
00:00
I can see that file and now I know I'm running as root.
00:00
I get cat/etc/shadow,
00:00
I want to see if there's any hashes
00:00
in there that I could crack.
00:00
I see they're not, this is a docker.
00:00
But that's to show you another danger in the fact that
00:00
this docker is running as root, which is not good.
00:00
That's another issue in and of itself.
00:00
But you can see how fast that was.
00:00
If people look in showdown,
00:00
if they find that something is running
00:00
struts and they know
00:00
their version is one of the vulnerable versions,
00:00
they could easily use this exploit code
00:00
and run it and achieve
00:00
remote code execution that they
00:00
could pivot it into a reverse shell,
00:00
on the server, create a backdoor,
00:00
or do all other malicious things in a matter of,
00:00
this has been about five-minute lesson,
00:00
probably five-minutes or less.
00:00
That's to illustrate the danger of this type of
00:00
vulnerability and the importance of
00:00
keeping all your components updated.
Up Next
Scenario: Equifax Breach
10m
Lab: Vulnerable & Outdated Components
45m