finish hw4

2024-06-01 18:02:54 -07:00 · 2024-06-01 18:02:54 -07:00 · cfa0fd11ff
commit cfa0fd11ff
parent 84d2d4cbad
7 changed files with 111 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+_*/
+*bin
--- a/hw4/architecture.png
+++ b/hw4/architecture.png
--- a/hw4/found.png
+++ b/hw4/found.png
--- a/hw4/hw4.md
+++ b/hw4/hw4.md
@ -32,7 +32,115 @@ When writing this script I had to dig deeper into the packet capture to understa

 ![hashes](./hashes.png)

+Running `binwalk -M -e download.bin`, we can extract the underlying linux filesystem of this binary
+```
+djw2@pop-os:~/Documents/netsec/netsec-djw2/hw4$ binwalk -M -e download.bin
+
+Scan Time:     2024-06-01 17:24:53
+Target File:   /home/djw2/Documents/netsec/netsec-djw2/hw4/download.bin
+MD5 Checksum:  7aa6a7ebcbd98ce19539b668ff790655
+Signatures:    411
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+48            0x30            Unix path: /dev/mtdblock/2
+96            0x60            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4438276 bytes
+302958        0x49F6E         MySQL MISAM index file Version 4
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/localtime -> /tmp/localtime; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/TZ -> /tmp/TZ; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/resolv.conf -> /tmp/resolv.conf; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/mtab -> /proc/42002/mounts; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/etc/ppp/resolv.conf -> /tmp/resolv.conf.ppp; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/sbin/ip -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/pgrep -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/flock -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/uptime -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/free -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/ssh -> /usr/sbin/dropbear; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/top -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/usr/bin/scp -> /usr/sbin/dropbear; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/bin/ps -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+
+WARNING: Symlink points outside of the extraction directory: /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/squashfs-root/bin/kill -> /usr/bin/busybox; changing link target to /dev/null for security purposes.
+1441888       0x160060        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2208988 bytes, 1159 inodes, blocksize: 262144 bytes, created: 2019-08-06 21:20:37
+
+
+Scan Time:     2024-06-01 17:24:53
+Target File:   /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/60
+MD5 Checksum:  24d29d1dc329ae3314c4899a5e41fe83
+Signatures:    411
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+1040          0x410           Flattened device tree, size: 4729 bytes, version: 17
+3708304       0x389590        CRC32 polynomial table, little endian
+3734583       0x38FC37        Intel x86 or x64 microcode, sig 0x03000000, pf_mask 0x01, 2088-18-20, rev 0x3baa3000, size 136
+3869788       0x3B0C5C        xz compressed data
+3902428       0x3B8BDC        Unix path: /lib/firmware/updates/4.14.95
+3921700       0x3BD724        Unix path: /sys/firmware/devicetree/base
+3922521       0x3BDA59        Unix path: /sys/firmware/fdt': CRC check failed
+3931117       0x3BFBED        Neighborly text, "neighbor table overflow!solicit"
+3950660       0x3C4844        Neighborly text, "NeighborSolicitsports"
+3950680       0x3C4858        Neighborly text, "NeighborAdvertisements"
+3953602       0x3C53C2        Neighborly text, "neighbor %.2x%.2x.%pM lost rename link %s to %s"
+4280320       0x415000        ELF, 32-bit LSB MIPS64 shared object, MIPS, version 1 (SYSV)
+4437760       0x43B700        ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
+4437876       0x43B774        ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
+4438000       0x43B7F0        ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
+4438116       0x43B864        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
+
+
+Scan Time:     2024-06-01 17:24:54
+Target File:   /home/djw2/Documents/netsec/netsec-djw2/hw4/_download.bin.extracted/_60.extracted/console
+MD5 Checksum:  d41d8cd98f00b204e9800998ecf8427e
+Signatures:    411
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+```
+
 ## Questions
 1) What architecture is the firmware intended to run on?
+The architecture appears to be MIPS 32-bit. This is shown by running `file` on the busybox binary
+![architecture.png](./architecture.png)
+
 2) What OS is the firmware running?
+As shown in etc/os-release, the OS appears to be OpenWRT
+![os.png](./os.png)
+
 3) What users are present on the system?
+root, daemon, ftp, network, nobody, and dnsmasq are the users present (seen in /etc/shadow and /etc/passwd)
+![users.png](./users.png)
+
+4) What is the root password?
+The hash of the root password shown above is as follows
+```
+root:$6$19yJir3t$DKemu8nRjxvuPbDZdZcdtsJiiVd7zAXN7Q63.eepYT.R0LqsDMYCzwetEO58sPROWiVfhY1Aeu3O3awr57fv50:17994:0:99999:7:::
+```
+`$6` indicated a sha512 hash and the next chunk `19yJir3t` indicates the salt.
+
+For sha512, we will want to use -m 1800 flag with hashcat
+
+![man-hashcat](./man-hashcat.png)
+
+I then tried to crack the password hashcat and rockyou.txt, but was unable to find the password. Some quick googling revealed the leetspeak.rule wordlist in combination with rockyou.txt might be a good choice (as well as the [page](https://noobintheshell.com/posts/mcafee_ctf_2021/) which simple gave us the password for this exercise)
+
+For fun, I'll crack the password anyways running `hashcat -O -m 1800 -a 0 -o found.txt hash.txt ~/Downloads/rockyou.txt -r ~/Downloads/leetspeak.rule`
+
+![found](./found.png)
+
+In about 4 minutes with my Nvidia 1080 Ti, we have cracked the password - That being `P@55w0rd!`
--- a/hw4/man-hashcat.png
+++ b/hw4/man-hashcat.png
--- a/hw4/os.png
+++ b/hw4/os.png
--- a/hw4/users.png
+++ b/hw4/users.png