Broker — TryHackMe Penetration Testing Walkthrough

~2 min di lettura
thm medium linux

Target Information

  • Machine Name: Broker
  • Platform: TryHackMe
  • Difficulty: Medium
  • Operating System: Linux

Reconnaissance

Network Scanning

A full TCP service discovery scan was conducted using Nmap to identify open ports and running services.

1
nmap -sC -sV broker.thm

Identified Services:

Port Service Version
22 SSH OpenSSH 8.2p1
1883 MQTT Unknown
8161 HTTP Apache ActiveMQ (Jetty 7.6.9)

The presence of Apache ActiveMQ exposed via HTTP represented the most promising attack vector.

Enumeration

Web Application Enumeration

Directory fuzzing was performed against the ActiveMQ web interface to identify hidden or restricted endpoints.

1
ffuf -u http://broker.thm:8161/FUZZ -w 10k-most-common.txt

Results:

  • /admin — Administrative interface (HTTP 401)

This confirmed the presence of a management console, commonly associated with weak default credentials and historical vulnerabilities.

Vulnerability Analysis

Apache ActiveMQ — CVE-2016-3088

Research into the identified ActiveMQ version revealed a known and critical vulnerability:

  • CVE-2016-3088 — Arbitrary file upload and remote code execution via HTTP PUT and MOVE requests.

This vulnerability affects Apache ActiveMQ 5.x versions prior to 5.14.0 and allows unauthenticated or weakly authenticated attackers to execute arbitrary code on the server.

Initial Access

Administrative Access

Testing common default credentials resulted in successful authentication to the admin panel:

1
admin : admin

This misconfiguration enabled further interaction with the vulnerable ActiveMQ components.

Remote Code Execution

By exploiting CVE-2016-3088, a reverse shell was obtained on the target system, resulting in user-level access.

The user flag was located within the service directory and successfully retrieved.

Privilege Escalation

Two independent privilege escalation paths were identified, demonstrating multiple weaknesses in system configuration.

Method 1 — Writable /etc/shadow

Enumeration with linpeas.sh revealed that /etc/shadow was world-writable:

1
-rwxrwxrwx 1 root shadow /etc/shadow

This severe misconfiguration allowed direct manipulation of password hashes.

A new SHA-512 password hash was generated:

1
openssl passwd -6 hacked

The root user’s hash was replaced with the generated value, enabling root authentication:

1
su root

Root access was successfully obtained, and the root flag was retrieved.

Method 2 — Sudo Misconfiguration with Python Script

Reviewing sudo permissions revealed the following rule:

1
(ALL) NOPASSWD: /usr/bin/python3.7 /opt/apache-activemq-5.9.0/subscribe.py

The target script was writable by the low-privileged user:

1
-rw-rw-r-- activemq activemq subscribe.py

By injecting arbitrary Python code:

1
2
import os
os.system("/bin/bash")

and executing the script via sudo, a root shell was obtained without authentication.

← Torna alla home