Running an nmap scan, we find that only mosquitto is running on port 1883.
Notice all the topics and their recent payloads. This shows that there is no authentication mechanism in place, leaving the system vulnerable.
Let’s use the mosquitto_sub command to subscribe to topics and listen to the network traffic.
The base64 data sticks out. Let’s see what’s inside.
Notice the "registered_commands":["HELP","CMD","SYS"]. Maybe we can run some commands using mosquitto_pub.
Let’s set up our listenner with the mosquitto_sub and publish some commands with mosquitto_pub.
No response from the pub_topic, let’s try the sub_topic.
WE GOT SOMETHIN. Let’s decode that message at the end.
Seems like we can run commands on the host! But it also seems like we gotta encode it in base64 first.
Using the id of the original base64 message we discovered, let’s craft our message:
{"id": "cdd1b1c0–1c40–4b0f-8e22–61b357548b7d", "cmd": "CMD", "arg": "ls"}
Encoding it and sending, we get a response!
Decoding, we find that there’s the flag.txt file.
Changing the “arg” to “cat flag.txt”, we get the flag!
After decrypting, we’ve completed this room!
No responses yet