https://www.hackthebox.com/machines/Broker

OS: Linux

10.129.230.87

Credentials:

UsernamePassword

nmap results:

PORT      STATE SERVICE    REASON         VERSION
22/tcp    open  ssh        syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp    open  http       syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp  open  mqtt       syn-ack ttl 63
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     ActiveMQ/Advisory/MasterBroker: 
|_    ActiveMQ/Advisory/Consumer/Topic/#: 
5672/tcp  open  amqp?      syn-ack ttl 63
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp  open  http       syn-ack ttl 63 Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
40335/tcp open  tcpwrapped syn-ack ttl 63
61613/tcp open  stomp      syn-ack ttl 63 Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       syn-ack ttl 63 Jetty 9.4.39.v20210325
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|   Supported Methods: GET HEAD TRACE OPTIONS
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
61616/tcp open  apachemq   syn-ack ttl 63 ActiveMQ OpenWire transport 5.15.15

Attack + Enum Vectors: (Ports, etc.)

  • TCP 8161: HTTP Jetty 9.4.39
  • TCP 1883: MQTT?
  • TCP 5672: AMQP?
  • TCP 61613: stomp Apache ActiveMQ?
  • TCP 61614: HTTP Jetty 9.4.39
  • TCP 80: HTTP nginx 1.18.0
  • TCP 40335
  • TCP 22: SSH OpenSSH 8.9p1

Initial Foothold

searching up the exploit for the version of activemq we found an exploit:

https://github.com/rootsecdev/CVE-2023-46604

it can execute and force the server to make a request to us to execute a code for reverse shell in the directory of

/opt/apache-activemq-5.15.15/bin

Priv Esc

sudo -l has something with nginx without need of password: but did not seem promising after trying https://gtfobins.org/gtfobins/nginx/

After watching ippsec he seemed to used the same way i tried. I retried: this time doesnt work too. Now i studied how this works again and appearantly it copies the public key from current .ssh of current direcotry to root .ssh directory; therefore i changed directory to my home then re-generated a key and followed https://gtfobins.org/gtfobins/nginx/ and finally: we uploaded the id_rsa, using the key with ssh and we got root.

Therefore pwn’d.


Conclusion & Remediation

I did this box before I started writing my write ups on my blog so it is not the best formatted. However, I learned that trying to understand how everything works is important since if it doesn’t work initially: doesn’t mean it doesn’t work, could mean we’re not using it properly or lacking some knowledge

To remediate for similar attacks from this lab: system administrators needs to make sure to not use vulnerable web message brokers like the activemq in this lab, and update them. In addition, misconfigured sudo privileges needs to be removed to remediate for privilege escalation attacks and to follow the principle of least privileges.