HTB: Broker - OSCP Prep Write-up
CVE-2023-46604 dropped while this machine was live - a critical Apache ActiveMQ RCE with a public PoC, CVSS 10.0. The privesc flips the script: instead of running code, nginx becomes a file server for the entire filesystem. Machine info Name Broker Platform HackTheBox OS Linux Difficulty Easy TL;DR Rustscan reveals port 61616 running Apache ActiveMQ 5.15.15 - vulnerable to CVE-2023-46604 Clone and adapt the public PoC: serve a malicious ClassInfo XML and trigger the RCE to land a shell as activemq sudo -l shows activemq can run /usr/sbin/nginx as root without a password Craft an evil nginx config with WebDAV PUT and root /; to expose the entire filesystem on port 1337 Read root.txt directly, or overwrite /etc/passwd to add a new root-level user Recon Port scan ...