← Back to blog

Silicon Data Sleuthing

May 18, 2024 · Hack The Box / Business CTF 2024 forensicsfirmware-analysisbinwalksquashfsopenwrt

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Silicon Data Sleuthing
  • Category: Forensics
  • Difficulty: Easy
  • Points: 325
  • Description: In the dust and sand surrounding the vault, you unearth a rusty PCB… You try to read the etched print, it says Open..W…RT, a router! You hand it over to the hardware gurus and to their surprise the ROM Chip is intact! They manage to read the data off the tarnished silicon and they give you back a firmware image. It’s now your job to examine the firmware and maybe recover some useful information that will be important for unlocking and bypassing some of the vault’s countermeasures!

Writeup

binwalk chal_router_dump.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
97696         0x17DA0         U-Boot version string, "U-Boot 1.1.3 (Aug 18 2020 - 11:10:29)"
98248         0x17FC8         CRC32 polynomial table, little endian
99600         0x18510         AES S-Box
100380        0x1881C         AES Inverse S-Box
458752        0x70000         gzip compressed data, maximum compression, from Unix, last modified: 2021-09-17 15:32:23
1572864       0x180000        uImage header, header size: 64 bytes, header CRC: 0x95E11ADB, created: 2023-10-09 21:45:35, image size: 2802312 bytes, Data Address: 0x80001000, Entry Point: 0x80001000, data CRC: 0x8055BE8E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "MIPS OpenWrt Linux-5.15.134"
1578428       0x1815BC        Copyright string: "Copyright (C) 2011 Gabor Juhos <[email protected]>"
1578636       0x18168C        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 9229911 bytes
4375240       0x42C2C8        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3687796 bytes, 1328 inodes, blocksize: 262144 bytes, created: 2023-10-09 21:45:35
8126464       0x7C0000        JFFS2 filesystem, little endian

Extract:

binwalk -Me chal_router_dump.bin

Scan Time:     2024-05-19 19:35:35
Target File:   /share/ctf/24business/forensics_silicon_data_sleuthing/chal_router_dump.bin
MD5 Checksum:  c302f49b77ed21505320a722c5e69ba8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
97696         0x17DA0         U-Boot version string, "U-Boot 1.1.3 (Aug 18 2020 - 11:10:29)"
98248         0x17FC8         CRC32 polynomial table, little endian
99600         0x18510         AES S-Box
100380        0x1881C         AES Inverse S-Box
458752        0x70000         gzip compressed data, maximum compression, from Unix, last modified: 2021-09-17 15:32:23
1572864       0x180000        uImage header, header size: 64 bytes, header CRC: 0x95E11ADB, created: 2023-10-09 21:45:35, image size: 2802312 bytes, Data Address: 0x80001000, Entry Point: 0x80001000, data CRC: 0x8055BE8E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "MIPS OpenWrt Linux-5.15.134"
1578428       0x1815BC        Copyright string: "Copyright (C) 2011 Gabor Juhos <[email protected]>"
1578636       0x18168C        LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 9229911 bytes

Questions

Question 1 (OpenWRT Version)

What version of OpenWRT runs on the router (ex: 21.02.0)
> 23.05.0
[+] Correct!

reset ; fgrep -ri 'openwrt' .
...[snip]...
./squashfs-root-0/usr/lib/os-release:PRETTY_NAME="OpenWrt 23.05.0"
...[snip]...

Question 2 (Kernel)

What is the Linux kernel version (ex: 5.4.143)
> 5.15.134
[+] Correct!

reset ; fgrep -ri 'kernel' .
./squashfs-root/usr/lib/opkg/info/kmod-nf-log6.control:Depends: kernel (=5.15.134-1-9c242f353867f49a96054ff8c9f2c460), kmod-nf-log

Question 3 (Root Account)

What's the hash of the root account's password, enter the whole line (ex: root:$2$JgiaOAai....)
> root:$1$YfuRJudo$cXCiIJXn9fWLIt8WY2Okp1:19804:0:99999:7:::
[+] Correct!

reset ; grep -ri '\$[0-6]\$' . --text
./jffs2-root/work/work/#32:root:$1$YfuRJudo$cXCiIJXn9fWLIt8WY2Okp1:19804:0:99999:7:::

Question 4-5 (PPoE)

What is the PPPoE username
> yohZ5ah
[+] Correct!

What is the PPPoE password
> ae-h+i$i^Ngohroorie!bieng6kee7oh
[+] Correct!

reset ; fgrep -ri 'pppoe'
jffs2-root/work/work/#4/network:	option proto 'pppoe'

cat jffs2-root/work/work/#4/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:d441:6c4a::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'yohZ5ah'
	option password 'ae-h+i$i^Ngohroorie!bieng6kee7oh'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Question 6-7 (Wifi)

What is the WiFi SSID
> VLT-AP01
[+] Correct!

What is the WiFi Password
> french-halves-vehicular-favorable
[+] Correct!

reset ; fgrep -ri 'ssid' .
./jffs2-root/work/work/#4/wireless:	option ssid 'VLT-AP01'

cat ./jffs2-root/work/work/#4/wireless
config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'VLT-AP01'
	option encryption 'sae-mixed'
	option key 'french-halves-vehicular-favorable'
	option ieee80211r '1'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'

Question 8 (Firewall)

What are the 3 WAN ports that redirect traffic from WAN -> LAN (numerically sorted, comma sperated: 1488,8441,19990)
> 1778,2289,8088
[+] Correct!

[+] Here is the flag: HTB{Y0u'v3_m4st3r3d_0p3nWRT_d4t4_3xtr4ct10n!!_fe0e1c06347e9625c8d7764d8c253fc8}


reset ; fgrep -ri 'redirect' .
./jffs2-root/work/work/#b:config redirect
./jffs2-root/work/work/#b:config redirect
./jffs2-root/work/work/#b:config redirect

cat ./jffs2-root/work/work/#b
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DB'
	option src 'wan'
	option src_dport '1778'
	option dest_ip '192.168.1.184'
	option dest_port '5881'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WEB'
	option src 'wan'
	option src_dport '2289'
	option dest_ip '192.168.1.119'
	option dest_port '9889'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NAS'
	option src 'wan'
	option src_dport '8088'
	option dest_ip '192.168.1.166'
	option dest_port '4431'

Flag: HTB{Y0u'v3_m4st3r3d_0p3nWRT_d4t4_3xtr4ct10n!!_fe0e1c06347e9625c8d7764d8c253fc8}