Challenge 1 – find network backdoor
You have received a firmware image for forensic analysis. The network administrator uncovered this backdoor while monitoring the network. The Wi-Fi router only had port 22 and 80 open when they had installed it. However, the firewall seems to be picking up traffic on port 4763 as well. They did some preliminary analysis but to no avail. The attacker seems to have hidden the firmware well.
Firmware analysis is the process of recovering, extracting, and analyzing the contents of a firmware. A firmware here refers to a software (or operating system) running on an embedded device like a router, camera, refrigerator etc.
For this challenge I’ll use binwalk. binwalk is a solid and popular tool for working with firmware for devices which run some kind of OS. It is written in python. At a high-level, by default, binwalk iterates through all the bytes in a binary, looking for magic bytes. If finds one, it will report it on a table it prints to stdout.
It can also “carve” out (/extract) each segment it finds, so you can look at it in isolation. Use the -e flag to specify that it should extract files rather than print everything it finds to stdout. Extracted files all go into a directory called _filename.extracted (or _filename-[int].extracted, if that folder already exists), based on the filename of the file you’ve run binwalk against.
Let’s check the extracted content and browse in the squashfs root directory:
In the /etc directory I’ll have a closer look for the rc.local file which is a well-known file used to start processes or perform a task on boot up.
We can observe that FIREWALL_INIT is point to another file, probably a shell script. Let’s open that and see what it does
The script is running a suspicious command. The command is encoded as base64 and is decoding during execution.
I use the following command to decode, which reveals a netcat listener on port 4763
echo “bmMgLWwgNDc2Mw==” | base64 -d