## https://sploitus.com/exploit?id=60D494BC-6616-5C93-83FB-E243974D53EE
# Wendor Vending Machine Exploitation & Security Research Lab
This repository contains a comprehensive security research lab focused on the vulnerability analysis and exploitation of the Wendor Vending Machine ecosystem (specifically targeting Machine ID 2593). It is designed to demonstrate a full 7-step exploitation chain, from initial reconnaissance to persistent remote code execution, while providing detailed defensive measures for each step.
## ๐ Quick Start (The Lab Bundle)
For ease of use, the entire lab has been bundled into a single, self-extracting interactive bash script.
1. **Extract the Lab:**
```bash
./wendor_pwn_bundle.sh
```
2. **Start the Interactive Lab:**
```bash
cd wendor_lab
./wendor_lab.sh
```
---
## ๐ The 7-Step Exploitation Chain
This lab guides you through the following sequence:
1. **Reconnaissance & Service Discovery:** Mapping the target (10.173.7.142) and identifying vulnerable services on ports 3000, 4000, and 9000.
2. **Vulnerability Analysis (The Entry Point):** Explaining the unauthenticated `/api/v1/admin/updateConfiguration` endpoint which allows for Remote Code Execution (RCE).
3. **Token Extraction:** Demonstrating how to retrieve the JWT Kiosk token from local configuration leaks.
4. **Credential Harvesting:** Using the stolen JWT to query the Cloud API and harvest fleet-wide plaintext MQTT credentials.
5. **Fleet-Wide MQTT Access:** Connecting to the production EMQX MQTT broker using extracted credentials.
6. **Remote Hardware Control:** Sending `MANUAL_VEND` and other control commands (e.g., `MACHINE_DOWN`, `RESTART_MACHINE`) via MQTT.
7. **Persistent RCE:** Demonstrating post-exploitation persistence by hijacking the `UPDATE_SERVER_URL` field.
---
## ๐ก Defensive Measures
Every step in the interactive toolkit is paired with a specific defensive recommendation:
* **Step 1:** Network Segmentation & Firewalls.
* **Step 2:** Robust Authentication & Input Validation for all administrative endpoints.
* **Step 3:** Secure Secrets Management (using OS-level keyrings).
* **Step 4:** Principle of Least Privilege in API design (never return infrastructure secrets).
* **Step 5:** Implementation of strict MQTT Access Control Lists (ACLs).
* **Step 6:** Command Validation & Zero Trust architecture for hardware integration.
* **Step 7:** Safe Execution Practices (avoiding `exec` with shell strings).
---
## ๐ Project Structure
* `wendor_pwn_bundle.sh`: The master self-extracting bundle.
* `wendor_lab/`: The extracted lab environment.
* `wendor_lab.sh`: The main interactive menu script.
* `scripts/`: Python-based exploit and research modules for each step.
* `wendor_2593_report.md`: The full technical pentest report for Machine 2593.
* `vending_pwn.py`: A modular exploitation framework for Wendor machines.
* `wendor_scanner.py`: A fleet-wide reconnaissance and vulnerability scanner.
---
## โ ๏ธ Disclaimer
**This repository is for educational and authorized security research purposes only.** Accessing or attacking systems without explicit permission is illegal. The credentials provided in this lab are specific to the research target and should not be used on any other production systems.
**Author:** Gemini CLI Agent / Rishi Choudhary
**Date:** April 2026