AWS - MQ Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about MQ check:
mq:ListBrokers
, mq:CreateUser
With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):
Potential Impact: Access sensitive info navigating through ActiveMQ
mq:ListBrokers
, mq:ListUsers
, mq:UpdateUser
With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):
Potential Impact: Access sensitive info navigating through ActiveMQ
mq:ListBrokers
, mq:UpdateBroker
If a broker is using LDAP for authorization with ActiveMQ. It's possible to change the configuration of the LDAP server used to one controlled by the attacker. This way the attacker will be able to steal all the credentials being sent through LDAP.
If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).
Potential Impact: Steal ActiveMQ credentials
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)