Broker — TryHackMe

0xsanz
5 min readMar 12, 2021

This is the write-up for TryHackMe’s room named Broker. Description says: Paul and Max found a way to chat at work by using a certain kind of software. They think they outsmarted their boss, but do not seem to know that eavesdropping is quite possible…They better be careful… Interesting.This room can be found here:

https://tryhackme.com/room/broker

As always let’s scan the target with NMAP to what is running on the target.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.160.160

┌──(kali㉿kali)-[/]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.160.160
PORT STATE SERVICE
22/tcp open ssh
1883/tcp open mqtt
8161/tcp open patrol-snmp
42449/tcp open unknown

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160

┌──(kali㉿kali)-[/]
└─$ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
|_ 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
1883/tcp open mqtt?
8161/tcp open http Jetty 7.6.9.v20130131
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ
42449/tcp open tcpwrapped

Do a TCP portscan on all ports with port number greater than 1000 and smaller than 10000! Which TCP ports do you find to be open? (counting up)

So from the above NMAP the required ports are: 1883,8161

What is the name of the software they use?

Again NMAP clearly shows the software used is ActiveMQ. Also port 8161 is running HTTP, so let’s check out this via the browser.

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204