Bugged — TryHackMe
John likes to live in a very Internet connected world. Maybe too connected…
This is a write-up for TryHackMe’s room named Bugged Pictures. Basic enumeration is required to find the open mqtt port and then using python module we figured out how to subscribe and publish commands to mqtt and how we can manipulate the payloads to get the flag.
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.100.217
PORT STATE SERVICE
1883/tcp open mqtt
MQTT — MQ Telemetry Transport is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of Things (IoT).
# Perform further enumeration using nmap’s default scripts
⇒ nmap -sC -sV -p1883 10.10.100.217
PORT STATE SERVICE VERSION
1883/tcp open mosquitto version 2.0.14
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/messages/received/1min: 89.70
| frontdeck/camera: {"id":17668538737957545603,"yaxis":-167.43144,"xaxis":153.28833,"zoom":1.2929888,"movement":false}…