InfoSec LAB

Broker_Web_80

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is nginx 1.18.0 (Ubuntu)

Webroot It’s locked behind the basic HTTP authentication

the default credential, admin:admin, worked and I am redirected to the index page at index.html This is Apache ActiveMQ

Apache ActiveMQ

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client. It provides “Enterprise Features” which in this case means fostering the communication from more than one client or server. Supported clients include Java via JMS 1.1 as well as several other “cross language” clients. The communication is managed with features such as computer clustering and ability to use any database as a JMS persistence provider besides virtual memory, cache, and journal persistency

Here are key aspects of Apache ActiveMQ:

  1. Messaging System:
    • Message Broker: ActiveMQ acts as a message broker, facilitating communication between distributed applications. It enables the exchange of messages (data) between different software systems.
  2. Messaging Protocols:
    • Support for Various Protocols: ActiveMQ supports multiple messaging protocols, including Java Message Service (JMS), Message Queue Telemetry Transport (MQTT), and Advanced Message Queuing Protocol (AMQP). This makes it versatile and suitable for various types of applications.
  3. Key Features:
    • Persistence: ActiveMQ supports message persistence, ensuring that messages are not lost even if the broker or the application restarts.
    • Transaction Support: It provides support for distributed transactions, allowing multiple operations to be performed atomically.
    • Clustering: ActiveMQ can be configured in a clustered setup to provide high availability and fault tolerance.
  4. Use Cases:
    • Integration: ActiveMQ is commonly used in enterprise integration scenarios where different applications and systems need to exchange data reliably.
    • Decoupling Components: It enables a decoupled architecture by allowing components of a distributed system to communicate asynchronously through messages.
    • Event-Driven Architectures: ActiveMQ is suitable for implementing event-driven architectures where components react to events by exchanging messages.
  5. Why ActiveMQ:
    • Reliability: ActiveMQ provides features such as persistence and clustering, making it reliable and fault-tolerant.
    • Interoperability: It supports various messaging protocols, enabling communication between applications implemented in different programming languages and running on different platforms.
    • Scalability: ActiveMQ can be scaled horizontally by adding more broker nodes to handle increased message loads.
  6. Components:
    • Broker: The central component that manages the routing, storing, and delivering of messages between producers and consumers.
    • Producer: An application or system component that sends messages to the broker.
    • Consumer: An application or system component that receives and processes messages from the broker.
  7. Default Ports:
    • OpenWire Protocol: 61616 (TCP)
    • AMQP (Advanced Message Queuing Protocol): 5672 (TCP)
    • Stomp (Streaming Text Oriented Messaging Protocol): 61613 (TCP)
    • MQTT (Message Queuing Telemetry Transport): 1883 (TCP)
    • Web Console: 8161 (TCP)
    • JMX (Java Management Extensions): 1099 (TCP) In summary, Apache ActiveMQ is a robust and versatile messaging broker that facilitates communication between distributed applications. It is used to enable reliable and asynchronous communication, supporting various messaging protocols and providing essential features for enterprise integration and event-driven architectures.

This explains those open ports discovered during the Recon phase. Additionally, it appears that I am accessing the Web console over the nginx proxy over port 80 as the very same web application could be seen in the target port 8161, which is likely the actual source

Enumeration will be continued through here

admin page

Checking the admin page reveals that the Web console is running off a localhost network i would imagine that it’s running on the 127.0.0.1:8161 socket and proxied over 0.0.0.0:80 via nginx Additionally, the version information could be seen; 5.15.5

Vulnerability

Searching Apache ActiveMQ 5.15.5 online for vulnerabilities reveals that the target instance appears to be suffering from a remote code execution vulnerability; [[Broker_CVE-2023-46604#[CVE-2023-46604](https //nvd.nist.gov/vuln/detail/CVE-2023-46604)|CVE-2023-46604]]

Interactive Graph View

Backlinks