How I Found My First RCE !

.السلام عليكم ورحمه الله وبركاته والصلاه والسلام على رسول الله سيدنا محمد

As-salamu alaykum everyone! In this article, I’ll talk about my first RCE experience. It happened with a CVE-2023–46604 in Apache ActiveMQ. I’ll focus more on how I found it rather than bringing new stuff to the table for expert bug hunters.

In my recon process, i made sure to update my list of subdomains every week and scan for open ports every three days (though, it’s better to do it every day). For subdomains enumeration, I used tools like Subfinder and Amass.

Then:

after that i start port scanning in some cases i got a lot of subdomains somtimes +5k, I made a simple script to check subdomains using DNSx and divided them into groups of 15. Then, I ran Naabu with nohup to keep it running in the background.

script that i use

then

Many times, I manually checked that list. I filtered out hosts that might be honeypots, and sometimes Naabu gave unreliable results.

btw, after that, I manually checked for hosts with open ports between 3 and 10. When I noticed a strange open port, I used Nmap to find out which services were running on it.

In this instance, there was a host named bamboo.target.com, and I noticed that it had an open port, 54663.

When I used Nmap with the -sSCV flag, I discovered that it was running Apache ActiveMQ, which was present in its latest versions CVE-2023–46604 .

Then, I simply applied the exploit, and it worked right away. I reported it in a detailed report, which turned out to be a smart move. Providing all the necessary information for the triager and the security team often leads to a good bonus for your efforts.

as well as for that result

That’s all, folks! Thanks for your time. Feel free to check out my LinkedIn or Twitter — I’m looking for homies there!