Start with nmap ...
we found that we have 2 Open ports , 1883 for the mqtt service and 8161 http for Activemq
Manually check the http, we got auth required for admin dir
Search for Default Creds for Activemq
you can find an interesting topic called "secret_chat"
Use Mqtt client to Subscribe to the "secret_chat" and see the queued messages
Searching for Activemq CVE i found this github page for cve-2016-3088 https://github.com/coffeehb/Some-PoC-oR-ExP/tree/master/ActiveMQExP
checking the "sudo -l" first we Got this..
We can run subscribe.py as a root, we check if we have a write permissions to the file.
Yes we have!, now we can exploit it easly by adding shell in the file.
run the file.
Have fun! :D