July 4, 2026
Bugged CTF Walkthrough (TryHackMe)
A Beginner friendly Guide to solving the Bugged Room on TryHackMe

By Vanessa3
4 min read
Introduction
Bugged is a beginner-friendly TryHackMe room that introduces the basics of IoT security through a Capture the Flag (CTF) challenge. It helps beginners understand how IoT devices communicate using MQTT and how these protocols can be analyzed during a security assessment.
Room Information
- Platform: TryHackMe
- Room Name: Bugged
- Difficulty: Easy
- Category: IoT Security
- Objective: Capture the Flag (CTF)
BUGGED ROOM
Let's take a look of the Bugged lab on TryHackMe.
Strating the machine
Initial setup
After the machine starts, go to your machine and open the TryHackMe VPN connection.
Enumeration
For enumeration I used Nmap to discover the open ports, but unfortunately it only showed me one port (i.e. SSH), So I filtered the port from range 1–5000 and it gave me the result below.
nmap -sC -sV -p 1–5000 <IP> -T4 -oN Initialnmap -sC -sV -p 1–5000 <IP> -T4 -oN Initial
Open Ports Identified:
- SSH -22
- MQTT -1883
Before we dive into solving this lab, let's take a moment to understand MQTT, what it is, and how it works. Having basic understanding of MQTT will make it much easier to follow the steps in this challenge and understand the reasoning behind each action
What is MQTT?
MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol designed for devices with limited resources and low-bandwidth or unreliable network connections. It is widely used in Internet of Things (IOT) environments, where devices such as sensors, smart home appliances, and industrial equipment need to exchange data efficiently.
Unlike normal client-server communication, MQTT follows a publish/subscribe messaging model, allowing devices to communicate without directly interacting to one other.
How does it MQTT Work?
Instead of sending messages directly to another device, a publisher sends its message to the broker under a specific topic. Any client that has subscribed to that topic automatically receives the messages from the broker.
I hope you have basic understanding of this concept, so let's move into solving lab.
since we've already discovered MQTT broker is publicly accessible, we can directly use the MQTT tool. This tool allows us to publish messages to topics, subscribe and also to receive messages.
Exploring
mosquitto_sub -h <IP> -t '#'mosquitto_sub -h <IP> -t '#'It subscribes to all the MQTT topics on the broker.
The broker returns a message that appears to be Base64-encoded. as we can recognize by some characteristic symbols such as +, /, and ==.
Now let's use CyberChef tool to decode it or you can also decode using terminal if you are using Linux.
Using Terminal:
echo "<message>" | base64 -decho "<message>" | base64 -dUsing Cyber Chef:
Here, we can see the decoded output, it provides the pub_topic , and sub_topic along with the executable commands for the specific id. These details will be used to communicate with the MQTT broker in the subsequent steps.
Note: Id will be useful in the further steps.
Now, we can use these details to configure the MQTT publisher and subscriber. By publishing and subscribing to specified topics, we can retrieve the responses needed to proceed with the challenge.
Run the subscriber first because it listens for incoming responses:
mosquitto_sub -h <IP> -t "pub_topic"
mosquitto_sub -h <IP> -t "pub_topic"
It subscribes to the specified pub_topic. Whenever a message is published to this topic, MQTT broker automatically delivers it to all the subscribed clients.
Next, publish a message using the following command:
mosquitto_pub -t "sub_topic" -h <IP> -m "message"mosquitto_pub -t "sub_topic" -h <IP> -m "message"This publishes the specified message to the sub_topic. If broker or device processes the message, the response will be sent to the pub_topic, where our subscriber is already listening.
Now we can see the output as another base64, lets decode it.
As we can see, the response includes the CMD, ID, and argument fields. if we discover additional commands or valid IDs, we can modify values and send updated requests.
If you can remember in our first output, The result gave us an id. Let's change the id with the given id , as CMD and as ls. Once the payload is ready, encode it in Base64 and publish it to the MQTT broker to retrieve the response.
Just change the message into the base64 encoded string
Now lets publish to MQTT broker to recieve the response.
mosquitto_pub -t "sub_topic" -h <IP> -m "<base64 encoded string>"mosquitto_pub -t "sub_topic" -h <IP> -m "<base64 encoded string>"
we got the response back, again repeat the process.
Decode the response in the Cyberchef tool:
Now, as we know it contains flag.txt change the to "cat flag.txt"
Copy the Base64 encoded string and do the same thing as we did before: publish On MQTT broker.
Flag
After publishing the modified payload, the MQTT broker processes our request and returns the response.
After decoding it, we obtain the flag
Flag: flag{…}
ROOM COMPLETED SUCCESSFULLY.
Thank you for reading this walkthrough.