search

Broker

Nmap scan

$ nmap -sC -sV -Pn -oN nmap 10.10.11.243
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 21:08 +08
Nmap scan report for 10.10.11.243
Host is up (0.016s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.22 seconds

hashtag
Initial Access

hashtag
Port 80

When we try to go into port 80, we are greeted with this. So, we tried the usual password that could get us in such admin/admin and sure enough it worked. This is further confirmed after searching online for the default credentials

After logging in, we are greeted with this website. It seems there ActiveMQ running on this website by apache.

When we clicked into the Manage ActiveMQ broker , we can see that the version is 5.15.15.

After searching online if there is vulnerabilities existed for this version, it turns out there is a vulnerability associated to it.

LogoGitHub - SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ: Achieving a Reverse Shell Exploit for Apache ActiveMQ (CVE_2023-46604)GitHubchevron-right

After reading the information and playing around with the program, we will need to key in these information when we are going to run the exploit.

We will also need to create the reverse shell that is to be executed to the user shell.

The poc-linux.xml file is modified to be the same as shown below.

After executing, we are able to get a reverse shell from it and from there we can get the user shell.

hashtag
Privilege Escalation

hashtag
Getting a proper user shell

We will copy our own public key and put into the target machine.

We will then login using ssh using our private key to get a proper shell.

hashtag
Zimbra Nginx LPE

After some enumeration, we realised that the nginx command can be run as root user.

Further search online shows that there is a exploit for local privilege escalation.

LogoZimbra “nginx” Local Root ExploitDarren Martynchevron-right

This is the exploit code from the website:

After running the exploit code, we can see the /etc/shadow file which is only be accessed by the root.

This means by modifying the payload we are able to get the content of /root/root.txt.

After executing again, we are able to get the content of root.txt.

PreviousIntentionsNextPandora

Last updated