← Back to blog

Say Cheese!

May 18, 2024 · Hack The Box / Business CTF 2024 hardwarespifirmware-analysisbinwalksquashfs

Challenge

  • CTF: HTB Business CTF 2024: The Vault of Hope
  • Name: Say Cheese!
  • Category: Hardware
  • Difficulty: Easy
  • Points: 350
  • Description: The crew’s humanitarian mission attracts the ire of the Enclave, who deploys drones to monitor their efforts. In a stroke of luck, the crew manages to shoot down one of the drones. Seizing the opportunity, they bring the drone back to their workshop and carefully disassemble it. The drone’s components are numerous, but the camera stands out as it is a seperate module. Scanning the camera with Nmap reveals it runs Telnet, though it’s password-protected. Analyzing the chips, they identify a flash memory similar to the W25Q128 family. The crew’s tech specialist examines the device closely. The goal: to hijack the drones and thwart the Enclave’s surveillance and attacks.

Writeup

This challenge is very similar to the one featured from HTB Cyber Apocalypse CTF 2024

Spinning up docker container and putting in the ip address / port provided into client.py:

python3 client.py
[239, 64, 24]

The Python script client.py appears to be a client-side program designed to interact with a server-side system, likely representing a hardware device or an emulator of such a device. The general purpose of the script seems to be to exchange data and commands with this hardware device or emulator.

Specifically, the task description mentions the discovery of a flash memory chip (W25Q128) inside an RFID lock. The script may be used to communicate with this chip or another hardware component related to the challenge.

  • [0x9F]: a hex value representing the command to request the JEDEC ID of the flash memory device.
  • 3: A parameter indicating the number of bytes to read in response to the command. In this case, it requests to read 3 bytes of data, which correspond to the JEDEC ID.

After dumping the firmware, we binwalk it and extract a squashfs filesystem!

dumpimage -l firmware.bin
Image Name:   jz_fw
Created:      Wed May 15 07:48:58 2024
Image Type:   MIPS Linux Firmware (uncompressed)
Data Size:    11075584 Bytes = 10816.00 KiB = 10.56 MiB
Load Address: 00000000
Entry Point:  00000000

binwalk firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x562C89CA, created: 2024-05-15 11:48:58, image size: 11075584 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0xE89A0BAD, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: none, image name: "jz_fw"
64            0x40            uImage header, header size: 64 bytes, header CRC: 0x6F5948F4, created: 2020-05-26 05:03:55, image size: 1907357 bytes, Data Address: 0x80010000, Entry Point: 0x80421870, data CRC: 0xD8FCDDFA, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux-3.10.14"
128           0x80            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: -1 bytes
2097216       0x200040        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3289996 bytes, 414 inodes, blocksize: 131072 bytes, created: 2024-05-15 11:42:45
5570624       0x550040        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 593566 bytes, 13 inodes, blocksize: 131072 bytes, created: 2020-08-20 09:14:54
6225984       0x5F0040        JFFS2 filesystem, little endian

binwalk -Me firmware.bin

Grep and find flag:

fgrep -ri 'HTB{' . --text
./squashfs-root/etc/init.d/rcS:# HTB{SPI_t0_b4ckd00r1ng_4_cam3r4_ismart12}
./squashfs-root-0/etc/init.d/rcS:# HTB{SPI_t0_b4ckd00r1ng_4_cam3r4_ismart12}

Flag: HTB{SPI_t0_b4ckd00r1ng_4_cam3r4_ismart12}