Challenge 2 – weak root password
You’ve received an OpenWRT based firmware for analysis. The company assures you that the firmware is secure. You have your doubts!
Your mission is to recover the root password hash from the firmware and crack it!
In this challenge we have a file called firmware.bin and a passwordlist that I’ll later use for a bruteforce attack.
Again it’s a Squashfs filesystem. Let’s extract it.
binwalk -e firmware.bin
Let’s browse to the /etc directory and have a look for the shadow file
cp shadow /home/student
Let’s copy the shadow file over to my student home directory and do a vi of the file to remove all the other accounts
For the cracking part I use the tool hashcat
hashcat -m 1800 -a 0 shadow 1000000-password-seclist.txt
Bruteforce attacks always took some time…
Ther’e we are, the root password is q1w2e3r4