TryHackMe — "Bugged" CTF Writeup
TryHackMe — "Bugged" CTF Writeup
Category: IoT / MQTT
Difficulty: Easy–Medium
Protocol: MQTT (Message Queuing Telemetry Transport)
What is This Challenge About?
This challenge involves MQTT, a lightweight messaging protocol used by IoT (Internet of Things) devices like smart bulbs, cameras, thermostats, and sensors. The goal is to find a hidden flag by interacting with an exposed MQTT broker running on the target machine.
Step 1 — Port Scanning with RustScan
First, perform a fast port scan using RustScan:
Result:
PORT STATE SERVICE
22/tcp open ssh
1883/tcp open mqtt
Then follow up with a detailed Nmap scan:
Result:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
1883/tcp open mosquitto version 2.0.14
Key finding: Port 1883 is running Eclipse Mosquitto — an open-source MQTT broker. Port 1883 is unencrypted, meaning anyone can connect without credentials.
Step 2 — Subscribe to All MQTT Topics
Install the MQTT client tools:
Subscribe to every topic using the # wildcard:
Messages received:
livingroom/speaker {"id":10589701363824486808,"gain":45}
patio/lights {"id":14635457030121816579,"color":"ORANGE","status":"ON"}
storage/thermostat {"id":17088743945837924791,"temperature":23.22}
kitchen/toaster {"id":15214270543706667258,"in_use":false}
frontdeck/camera {"id":15346945588628547553,"yaxis":159.3,"xaxis":-40.06}
yR3gPp0r8Y/AGlaMxmHJe/qV66JF5qmH/config eyJpZCI6ImNkZDE...==
Key finding: One topic (yR3gPp0r8Y/.../config) is broadcasting a Base64-encoded message — this is suspicious and worth investigating.
Step 3 — Decode the Base64 Payload
Copy the Base64 string and decode it:
Decoded result (JSON):
What this tells us:
- There is a hidden device with a unique ID
- It accepts three commands:
HELP,CMD,SYS - We publish commands to the
pub_topic - We receive responses on the
sub_topic
Step 4 — Listen on the Sub Topic
Open Terminal 1 and keep it running throughout:
This is your listening channel — all responses will appear here.
Step 5 — Send Commands via Pub Topic
Commands must be sent as Base64-encoded JSON in this format:
Try the SYS Command
Encode it:
Publish it (Terminal 2):
Watch Terminal 1 for a Base64 response, then decode it.
Try the CMD Command — Run uname -a
Encode it:
Publish it:
Decoded response:
We have remote command execution!
Step 6 — Get the Flag
Encode the cat flag.txt command:
Publish it:
Decode the response from Terminal 1:
Flag:
flag{18d44fc0707ac8dc8be45bb83db54013}
Summary — Attack Chain
Port Scan (RustScan/Nmap)
↓
Found Port 1883 (MQTT - No Auth)
↓
Subscribe to all topics (#)
↓
Found Base64 payload on config topic
↓
Decoded JSON → Hidden pub/sub topics + commands
↓
Published CMD commands (Base64 encoded)
↓
Remote Command Execution → cat flag.txt
↓
FLAG CAPTURED ✓
Key Takeaways
| Issue | Risk |
|---|---|
| MQTT on port 1883 (no TLS) | Traffic is fully readable |
| No authentication enforced | Anyone can connect |
| Command execution over MQTT | Full RCE possible |
| Sensitive config broadcast publicly | Leaks internal topics and commands |
Lesson: IoT brokers exposed to the internet without authentication and encryption are a critical security risk. Always use port 8883 (MQTT over TLS) with strong credentials.
Writeup covers TryHackMe — Bugged room. For educational purposes only.
Tags
Keep Reading