{"id":224,"date":"2025-08-02T18:59:00","date_gmt":"2025-08-02T18:59:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=224"},"modified":"2025-12-28T19:25:44","modified_gmt":"2025-12-28T19:25:44","slug":"broker-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=224","title":{"rendered":"Broker- Hackthebox lab"},"content":{"rendered":"\n

As always, I start off the assessment with scanning for open TCP and UDP ports.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I started looking into the ActiveMQ service and did a search for version 5.15.15. This led to the CVE-2023-46604 exploit with a public RCE on GitHub.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I pulled down the exploit to my attack machine and ran the thing.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I got a reverse shell on my listener.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

At this point I must have gotten distracted and started working on the setlist for my band, here is a screenshot of that.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Running “sudo -l” I see that the user has permissions to run nginx as root.<\/p>\n\n\n\n

By default Nginx starts as root (so it can bind to low ports) then immediately drops to the user named in the user directive (often www-data or nginx). Setting it explicitly to root stops that privilege drop, so every worker process keeps root\u2019s file-system permissions. I snagged this conf file from https:\/\/0xdf.gitlab.io\/2023\/11\/09\/htb-broker.html<\/a>. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This basically allows me to read and write files to the root directory so I was able to read out the required flag.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I also created a key pair for ssh and write the public key to the \/root\/.ssh\/ folder to attempt an ssh connection with no password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

With the public key on the target box. I was able to connect with ssh gaining access to the root user on the box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this lab, Broker\u2019s lesson is simple: least privilege is not optional security hygiene- it\u2019s the last line of defense. One overly permissive sudo rule, one careless config file, and the entire filesystem becomes a public website.<\/p>\n","protected":false},"excerpt":{"rendered":"

As always, I start off the assessment with scanning for open TCP and UDP ports. I started looking into the ActiveMQ service and did a search for version 5.15.15. This led to the CVE-2023-46604 exploit with a public RCE on GitHub. I pulled down the exploit to my attack machine […]<\/p>\n","protected":false},"author":1,"featured_media":225,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=224"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions"}],"predecessor-version":[{"id":415,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions\/415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/225"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}