HackTheBox - Broker

00:00 - Intro
01:00 - Start of nmap
01:45 - Logging into ActiveMQ with admin:admin and then failing to use the exploit from 2016
04:00 - Doing a full nmap scan, then running script scans on the open ports
07:50 - Finding a page that talks about CVE-2023-46604, the latest activemq exploit
11:00 - Pulling down an exploit payload for this exploit, it is golang
12:30 - Modifying the payload to execute a reverse shell, instead of downloading and executing an elf file. Need to HTML Entity Encode the payload
16:30 - Reverse shell returned, seeing we can run nginx as root
17:20 - Building an nginx config that runs as root and shares the entire filesystem
23:08 - Enabling the WebDav PUT so we can upload files to the server and uploading an SSH Key
27:05 - Showing we could upload a cron entry aswell to get code execution

Support the originator by clicking the read the rest link below.