<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Deserialization on appl3b0y</title>
    <link>https://appl3b0y.com/tags/deserialization/</link>
    <description>Recent content in Deserialization on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Thu, 04 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/deserialization/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Broker</title>
      <link>https://appl3b0y.com/writeups/broker/</link>
      <pubDate>Thu, 04 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/broker/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Broker&lt;/strong&gt; is an easy Linux box built around a single, very topical vulnerability: &lt;strong&gt;CVE-2023-46604&lt;/strong&gt;, the Apache ActiveMQ OpenWire remote code execution bug that made a lot of noise in late 2023. It is a clean, two-step machine: get RCE on the message broker, then abuse one over-permissive &lt;code&gt;sudo&lt;/code&gt; rule to become root.&lt;/p&gt;&#xA;&lt;p&gt;The foothold is almost handed to us. The ActiveMQ web console uses default &lt;code&gt;admin:admin&lt;/code&gt; credentials, which is enough to read the exact version (5.15.15) and confirm it is vulnerable. From there, the OpenWire protocol on &lt;strong&gt;61616&lt;/strong&gt; lets us trigger a deserialization gadget that makes the broker fetch and execute a remote Spring XML, which runs our payload and returns a shell as the &lt;code&gt;activemq&lt;/code&gt; user. Privesc is a textbook GTFOBins move: &lt;code&gt;activemq&lt;/code&gt; can run &lt;code&gt;nginx&lt;/code&gt; under &lt;code&gt;sudo&lt;/code&gt;, so we start a root-owned nginx with WebDAV &lt;code&gt;PUT&lt;/code&gt; enabled and simply write our SSH key into &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt;.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
