david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

finish hw4

Browse Source
This commit is contained in:
David Westgate 2024-06-01 18:02:54 -07:00
parent 84d2d4cbad
commit cfa0fd11ff
7 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
_*/
*bin

BIN
hw4/architecture.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
hw4/found.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

110
hw4/hw4.md
View File

@ -32,7 +32,115 @@ When writing this script I had to dig deeper into the packet capture to understa
![hashes](./hashes.png) ![hashes](./hashes.png)
Running `binwalk -M -e download.bin`, we can extract the underlying linux filesystem of this binary
```
djw2@pop-os:~/Documents/netsec/netsec-djw2/hw4$ binwalk -M -e download.bin
Scan Time: 2024-06-01 17:24:53
Target File: /home/djw2/Documents/netsec/netsec-djw2/hw4/download.bin
MD5 Checksum: 7aa6a7ebcbd98ce19539b668ff790655
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
48 0x30 Unix path: /dev/mtdblock/2
96 0x60 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4438276 bytes
302958 0x49F6E MySQL MISAM index file Version 4
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/localtime -> /tmp/localtime; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/TZ -> /tmp/TZ; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/resolv.conf -> /tmp/resolv.conf; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/mtab -> /proc/42002/mounts; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/ppp/resolv.conf -> /tmp/resolv.conf.ppp; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/sbin/ip -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/pgrep -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/flock -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/uptime -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/free -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/ssh -> /usr/sbin/dropbear; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/top -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/scp -> /usr/sbin/dropbear; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/bin/ps -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/bin/kill -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
1441888 0x160060 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2208988 bytes, 1159 inodes, blocksize: 262144 bytes, created: 2019-08-06 21:20:37
Scan Time: 2024-06-01 17:24:53
Target File: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/60
MD5 Checksum: 24d29d1dc329ae3314c4899a5e41fe83
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1040 0x410 Flattened device tree, size: 4729 bytes, version: 17
3708304 0x389590 CRC32 polynomial table, little endian
3734583 0x38FC37 Intel x86 or x64 microcode, sig 0x03000000, pf_mask 0x01, 2088-18-20, rev 0x3baa3000, size 136
3869788 0x3B0C5C xz compressed data
3902428 0x3B8BDC Unix path: /lib/firmware/updates/4.14.95
3921700 0x3BD724 Unix path: /sys/firmware/devicetree/base
3922521 0x3BDA59 Unix path: /sys/firmware/fdt': CRC check failed
3931117 0x3BFBED Neighborly text, "neighbor table overflow!solicit"
3950660 0x3C4844 Neighborly text, "NeighborSolicitsports"
3950680 0x3C4858 Neighborly text, "NeighborAdvertisements"
3953602 0x3C53C2 Neighborly text, "neighbor %.2x%.2x.%pM lost rename link %s to %s"
4280320 0x415000 ELF, 32-bit LSB MIPS64 shared object, MIPS, version 1 (SYSV)
4437760 0x43B700 ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
4437876 0x43B774 ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
4438000 0x43B7F0 ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
4438116 0x43B864 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
Scan Time: 2024-06-01 17:24:54
Target File: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/_60.extracted/console
MD5 Checksum: d41d8cd98f00b204e9800998ecf8427e
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
```
## Questions ## Questions
1) What architecture is the firmware intended to run on? 1) What architecture is the firmware intended to run on?
The architecture appears to be MIPS 32-bit. This is shown by running `file` on the busybox binary
![architecture.png](./architecture.png)
2) What OS is the firmware running? 2) What OS is the firmware running?
3) What users are present on the system? As shown in etc/os-release, the OS appears to be OpenWRT
![os.png](./os.png)
3) What users are present on the system?
root, daemon, ftp, network, nobody, and dnsmasq are the users present (seen in /etc/shadow and /etc/passwd)
![users.png](./users.png)
4) What is the root password?
The hash of the root password shown above is as follows
```
root:$6$19yJir3t$DKemu8nRjxvuPbDZdZcdtsJiiVd7zAXN7Q63.eepYT.R0LqsDMYCzwetEO58sPROWiVfhY1Aeu3O3awr57fv50:17994:0:99999:7:::
```
`$6` indicated a sha512 hash and the next chunk `19yJir3t` indicates the salt.
For sha512, we will want to use -m 1800 flag with hashcat
![man-hashcat](./man-hashcat.png)
I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simple gave us the password for this exercise)
For fun, I'll crack the password anyways running `hashcat -O -m 1800 -a 0 -o found.txt hash.txt ~/Downloads/rockyou.txt -r ~/Downloads/leetspeak.rule`
![found](./found.png)
In about 4 minutes with my Nvidia 1080 Ti, we have cracked the password - That being `P@55w0rd!`

BIN
hw4/man-hashcat.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
hw4/os.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
hw4/users.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB