Share
## https://sploitus.com/exploit?id=29A02B80-16A7-5D6B-B903-8BB533BA9212
# Broker Machine Pentesting Report

## Target & Overview
- **Machine:** Broker (Linux)  
- **Service:** Apache ActiveMQ    

This machine hosts a vulnerable version of **Apache ActiveMQ**. The key vulnerability exploited is:

### CVE-2023-46604 โ€“ Unauthenticated Remote Code Execution (RCE)
- **Impact:** Allows attackers to execute arbitrary commands as the `activemq` user.  
- **Risk:** Combined with sudo misconfigurations, this can lead to full **root compromise**, exposing sensitive data and system control.

---

## Key Findings & Exploitation
1. **Initial Access:**  
   - ActiveMQ RCE used to execute a reverse shell, gaining access as `activemq` user.  

2. **Privilege Escalation:**  
   - Misconfigured sudo allowed `activemq` user to run `/usr/sbin/nginx` as root.  
   - Leveraged this to gain **root privileges** and access `/root/root.txt`.

3. **Persistence & Stealth:**  
   - Payloads hosted in memory (`/dev/shm`) to avoid disk-based detection.  
   - Root SSH access established via `authorized_keys`.

---

## Lessons & Takeaways
- Exposed services like ActiveMQ can be critical entry points.  
- Sudo misconfigurations are high-value escalation vectors.  
- Memory-based attacks are effective for stealth and persistence.  

---

**References:**  
- [CVE-2023-46604 PoC](https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ)  
- [Apache ActiveMQ](https://activemq.apache.org/)