## https://sploitus.com/exploit?id=AE004D91-C8AA-5DE3-8E14-481192A124DD
# Attacker Lab: CVE-2017-5638 & CVE-2021-41773
A 7-host Docker-based attack emulation lab designed to demonstrate a multi-stage kill chain, lateral movement, and multi-point IDS detection.
## Overview
This lab simulates a realistic network environment where an attacker progresses from initial reconnaissance to a foothold, and finally to a high-value target through pivoting. It features two independent Suricata IDS instances acting as sidecars to the critical hosts, providing a "defender's view" of the entire attack lifecycle.
### The Kill Chain
1. **Reconnaissance**: Attacker performs a network sweep (ICMP, TCP SYN, HTTP banner grabbing) across the `172.28.0.0/24` subnet.
2. **Foothold (CVE-2017-5638)**: Attacker exploits a vulnerable Apache Struts 2 server (`web-struts`) via OGNL injection in the `Content-Type` header.
3. **Pivoting (Lateral Movement)**: Using the compromised `web-struts` host, the attacker launches a secondary exploit against an internal target.
4. **Final Target (CVE-2021-41773)**: Attacker exploits a path traversal and RCE vulnerability in Apache HTTP Server 2.4.49 (`web-vuln`) to achieve root access.
## Lab Architecture
The lab consists of 10 containers in total:
* **Attacker (172.28.0.100)**: A Kali-like environment with pre-staged exploit scripts.
* **Target Hosts**:
* `web-struts` (172.28.0.11): Apache Struts 2.3.28 (Vulnerable to S2-045).
* `web-vuln` (172.28.0.10): Apache httpd 2.4.49 (Vulnerable to path traversal/RCE).
* `db-mysql` (172.28.0.12): Supporting database.
* `ssh-server` (172.28.0.13): Legacy foothold target.
* `ftp-server`, `smb-server`, `dns-server`: Infrastructure services for realism.
* **IDS Sidecars**:
* `ids-suricata-struts`: Monitors `web-struts` network namespace.
* `ids-suricata-web`: Monitors `web-vuln` network namespace.
## Getting Started
### Prerequisites
* Docker and Docker Compose v2.
* Bash-compatible shell.
### Setup
Run the setup script to build and start the environment:
```bash
./scripts/setup.sh
```
This will initialize the network, pull/build images, and start all 10 containers.
## Usage
The lab provides a dispatcher script to trigger different phases of the attack.
### Run Full Kill Chain
```bash
./scripts/attack.sh full
```
### Run Specific Phases
* **Reconnaissance Only**: `./scripts/attack.sh recon`
* **Struts Foothold**: `./scripts/attack.sh struts-foothold`
* **Struts-to-Web Pivot**: `./scripts/attack.sh struts-pivot`
* **Direct Exploit (No Pivot)**: `./scripts/attack.sh direct`
### Custom Commands
You can pass a custom command to be executed on the final target:
```bash
./scripts/attack.sh full "whoami; cat /etc/os-release"
```
## Monitoring Alerts
Alerts are written to individual `eve.json` files for each IDS instance:
* `./alerts/web-struts/eve.json`
* `./alerts/web-vuln/eve.json`
You can tail both feeds live using:
```bash
./scripts/tail-alerts.sh
```
## Cleanup
To stop and remove all lab components:
```bash
./scripts/teardown.sh
```