This demonstrates how the file_integrity module in Elastic's Auditbeat can be used to find machines that have the Apache Struts jar.
Then we exploit the vulnerability in Apache Struts and detect the executions using Auditbeat's auditd module.
Start Elasticsearch, Kibana, and install the Auditbeat dashboards.
docker-compose up
Start and provision a Debian 9.
vagrant up
The Vagrant machine will have:
- Auditbeat
- Tomcat 7
- Apache Struts Showcase Webapp
Run the exploit.
python exploit.py '/usr/bin/touch your-box-has-been-pwned'
Open Kibana on the host machine.
See execve syscalls by the tomcat user
