Tryhackme

Advent of Cyber — Day 24: Communication Protocols You Can’t Hurt SOC-mas, Mayor Malware!

Analyze captured MQTT traffic to reverse engineer the protocol commands and restore the smart lights sabotaged by Mayor Malware.

Learning Objectives

1. Understand the basics of the MQTT protocol and its publish/subscribe model.
2. Use Wireshark to analyze MQTT traffic for troubleshooting IoT devices.
3. Reverse engineer network protocol commands to restore functionality to compromised devices.

Steps Performed

1. Setting Up the Challenge Environment

1. Accessed the TryHackMe VM and navigated to the MQTTSIM/challenge/ directory.
2. Executed the ./challenge.sh script to simulate the smart lights' compromised scenario. This launched three interfaces:

• MQTT broker (red window).
• MQTT client.
• Lights controller interface (GUI).

2. Analyzing MQTT Traffic

1. Opened Wireshark and loaded the challenge.pcapng file from the challenge directory.
2. Applied the MQTT filter in Wireshark to isolate relevant traffic (mqtt).

3. Identifying Relevant MQTT Topics and Messages

• Examined captured MQTT messages to understand the communication between the smart lights and the broker.
• Observed the following key events in the packet data:
• MQTT SUBSCRIBE messages indicating the lights subscribed to a specific topic.
• MQTT PUBLISH messages controlling the state of the lights, with topics and corresponding payloads.

4. Reconstructing the Command to Restore the Lights

• Formulated the appropriate command to publish the message on to the topic d2FyZXZpbGxL/Y2hyaXNObWFzbGlnaHRz.

• Ensured the MQTT broker was running by verifying the active windows launched by the challenge.sh script.

5. Executing the Command

1. Ran the following command in the terminal to publish the required message:

2. Observed the lights turning back on in the GUI interface, signaling the system’s restoration. Our flag them appears.

Analysis of Findings

1. The compromised smart lights relied on the MQTT protocol for communication.
2. The captured MQTT traffic revealed the structure of the publish/subscribe model:

• The topic d2FyZXZpbGxL/Y2hyaXNObWFzbGlnaHRz was used to control lighting states.
• The message on restored the lights to their operational state.

3. Misconfigured or insufficiently secured MQTT setups can expose IoT devices to unauthorized control.

Tasks

What is the flag? THM{Ligh75on-day54ved}

Key Takeaways

1. MQTT Protocol: Understanding MQTT is crucial for monitoring and troubleshooting IoT communication. The publish/subscribe model simplifies device interaction but requires robust security controls.
2. Wireshark Analysis: Packet analysis is an effective method to reverse engineer protocols and identify issues in IoT systems.
3. IoT Security: Proper authentication, topic isolation, and encryption are essential to safeguard smart devices from unauthorized access.

The End

Tank you all and Merry Christmas🎄