## https://sploitus.com/exploit?id=29A02B80-16A7-5D6B-B903-8BB533BA9212
# Broker Machine Pentesting Report
## Target & Overview
- **Machine:** Broker (Linux)
- **Service:** Apache ActiveMQ
This machine hosts a vulnerable version of **Apache ActiveMQ**. The key vulnerability exploited is:
### CVE-2023-46604 โ Unauthenticated Remote Code Execution (RCE)
- **Impact:** Allows attackers to execute arbitrary commands as the `activemq` user.
- **Risk:** Combined with sudo misconfigurations, this can lead to full **root compromise**, exposing sensitive data and system control.
---
## Key Findings & Exploitation
1. **Initial Access:**
- ActiveMQ RCE used to execute a reverse shell, gaining access as `activemq` user.
2. **Privilege Escalation:**
- Misconfigured sudo allowed `activemq` user to run `/usr/sbin/nginx` as root.
- Leveraged this to gain **root privileges** and access `/root/root.txt`.
3. **Persistence & Stealth:**
- Payloads hosted in memory (`/dev/shm`) to avoid disk-based detection.
- Root SSH access established via `authorized_keys`.
---
## Lessons & Takeaways
- Exposed services like ActiveMQ can be critical entry points.
- Sudo misconfigurations are high-value escalation vectors.
- Memory-based attacks are effective for stealth and persistence.
---
**References:**
- [CVE-2023-46604 PoC](https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ)
- [Apache ActiveMQ](https://activemq.apache.org/)