Share
## https://sploitus.com/exploit?id=AE004D91-C8AA-5DE3-8E14-481192A124DD
# Attacker Lab: CVE-2017-5638 & CVE-2021-41773

A 7-host Docker-based attack emulation lab designed to demonstrate a multi-stage kill chain, lateral movement, and multi-point IDS detection.

## Overview

This lab simulates a realistic network environment where an attacker progresses from initial reconnaissance to a foothold, and finally to a high-value target through pivoting. It features two independent Suricata IDS instances acting as sidecars to the critical hosts, providing a "defender's view" of the entire attack lifecycle.

### The Kill Chain

1.  **Reconnaissance**: Attacker performs a network sweep (ICMP, TCP SYN, HTTP banner grabbing) across the `172.28.0.0/24` subnet.
2.  **Foothold (CVE-2017-5638)**: Attacker exploits a vulnerable Apache Struts 2 server (`web-struts`) via OGNL injection in the `Content-Type` header.
3.  **Pivoting (Lateral Movement)**: Using the compromised `web-struts` host, the attacker launches a secondary exploit against an internal target.
4.  **Final Target (CVE-2021-41773)**: Attacker exploits a path traversal and RCE vulnerability in Apache HTTP Server 2.4.49 (`web-vuln`) to achieve root access.

## Lab Architecture

The lab consists of 10 containers in total:

*   **Attacker (172.28.0.100)**: A Kali-like environment with pre-staged exploit scripts.
*   **Target Hosts**:
    *   `web-struts` (172.28.0.11): Apache Struts 2.3.28 (Vulnerable to S2-045).
    *   `web-vuln` (172.28.0.10): Apache httpd 2.4.49 (Vulnerable to path traversal/RCE).
    *   `db-mysql` (172.28.0.12): Supporting database.
    *   `ssh-server` (172.28.0.13): Legacy foothold target.
    *   `ftp-server`, `smb-server`, `dns-server`: Infrastructure services for realism.
*   **IDS Sidecars**:
    *   `ids-suricata-struts`: Monitors `web-struts` network namespace.
    *   `ids-suricata-web`: Monitors `web-vuln` network namespace.

## Getting Started

### Prerequisites

*   Docker and Docker Compose v2.
*   Bash-compatible shell.

### Setup

Run the setup script to build and start the environment:

```bash
./scripts/setup.sh
```

This will initialize the network, pull/build images, and start all 10 containers.

## Usage

The lab provides a dispatcher script to trigger different phases of the attack.

### Run Full Kill Chain
```bash
./scripts/attack.sh full
```

### Run Specific Phases
*   **Reconnaissance Only**: `./scripts/attack.sh recon`
*   **Struts Foothold**: `./scripts/attack.sh struts-foothold`
*   **Struts-to-Web Pivot**: `./scripts/attack.sh struts-pivot`
*   **Direct Exploit (No Pivot)**: `./scripts/attack.sh direct`

### Custom Commands
You can pass a custom command to be executed on the final target:
```bash
./scripts/attack.sh full "whoami; cat /etc/os-release"
```

## Monitoring Alerts

Alerts are written to individual `eve.json` files for each IDS instance:

*   `./alerts/web-struts/eve.json`
*   `./alerts/web-vuln/eve.json`

You can tail both feeds live using:
```bash
./scripts/tail-alerts.sh
```

## Cleanup

To stop and remove all lab components:
```bash
./scripts/teardown.sh
```