Bugged — TryHackMe

John likes to live in a very Internet connected world. Maybe too connected…

0xsanz
4 min readMar 5, 2023

This is a write-up for TryHackMe’s room named Bugged Pictures. Basic enumeration is required to find the open mqtt port and then using python module we figured out how to subscribe and publish commands to mqtt and how we can manipulate the payloads to get the flag.

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.100.217

PORT     STATE SERVICE
1883/tcp open mqtt

MQTT — MQ Telemetry Transport is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of Things (IoT).

# Perform further enumeration using nmap’s default scripts
nmap -sC -sV -p1883 10.10.100.217

PORT     STATE SERVICE                  VERSION
1883/tcp open mosquitto version 2.0.14
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/load/messages/received/1min: 89.70
| frontdeck/camera: {"id":17668538737957545603,"yaxis":-167.43144,"xaxis":153.28833,"zoom":1.2929888,"movement":false}…

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204,AZ500