Read the full post on Medium

Hello everyone! I’m Akshat Patel, pursuing a master’s in cybersecurity. I’m passionate about learning, solving challenges, and sharing insights. Today, I’ll take you through my experience with Day 24 of Advent of Cyber 2024, where we restored the lights of a smart city sabotaged by Mayor Malware!

The Story: A Smart City Under Attack

Wareville, a leading smart city, faced a crisis: Mayor Malware sabotaged the city’s IoT-powered smart lights, leaving the city in darkness during SOC-mas festivities. With the support team unavailable, it was up to us to analyze MQTT traffic, identify malicious commands, and restore the lights.

What I Learned

Basics of the MQTT Protocol

  1. MQTT is a lightweight protocol for IoT communication.
  2. It operates on a publish/subscribe model, with an MQTT broker routing messages.
  3. Topics categorize messages, allowing clients to subscribe to specific data.

Analyzing Network Traffic with Wireshark

  1. Filtering for specific protocols (like MQTT) pinpoints relevant data.
  2. Packet inspection reveals message topics, payloads, and communication flows.

Reverse Engineering Protocols

  1. Studying network captures helps understand device communication.
  2. This knowledge enables replicating device behavior to resolve issues.

Step-by-Step Walkthrough

Here’s how I restored Wareville’s lights:

1. Understanding MQTT Basics

  • Clients: Devices like sensors and controllers publish or subscribe to messages.
  • Broker: Intermediary routing messages between clients.
  • Topics: Message categories, e.g., home/lights.

2. Setting the Scene

  • The challenge environment included:
    • An MQTT broker (red window).
    • MQTT clients (blue window).
    • A light controller interface.
  • The lights were off, and controls were unresponsive.

3. Analyzing MQTT Traffic in Wireshark

  • Opened the provided challenge.pcapng file in Wireshark.
  • Filtered for MQTT traffic using: mqtt.
  • Discovered relevant topics and payloads:
    • Topic: home/lights.
    • Message: “on” (to turn the lights on).

4. Publishing the Correct Command

Used the mosquitto_pub command to publish the required MQTT message:

mosquitto_pub -h localhost -t "d2FyZXZpbGxl/Y2hyaXN0bWFzbGlnaHRz" -m "on"

5. Restoring the Lights

Executing the command restored the lights, and the flag appeared:

Flag: THM{Ligh75on-day54ved}

Reflections

This challenge highlighted:

  1. Innovation vs. Security: Smart systems offer convenience but introduce vulnerabilities.
  2. Network Monitoring: Tools like Wireshark are invaluable for detecting malicious activity.
  3. Protocol Knowledge: Understanding MQTT enabled an efficient solution.

Question and Answer

Q: What is the flag? A: THM{Ligh75on-day54ved}

Final Thoughts

Every challenge reinforces my passion for cybersecurity. If you’re a recruiter or mentor, I hope my enthusiasm and dedication stand out. Connect with me on LinkedIn to guide me in my journey!

Thanks for reading, and happy SOC-mas! 🌻

Edit: Survey Flag: THM{we_will_be_back_in_2025}

If you’re still reading and not just here for the flags, thank you so much!

Global Rank Tracking Image Placeholder

Here’s Akshat, signing off! <3