Analyzing Router Firmware P3

Challenge 3 – hidden backdoor

A massive breach was detected at an insurance company. Their admin suspects that their Wi-Fi routers were compromised and have backdoors installed in them. Unfortunately, they have no clue how to go about uncovering it. Your colleague goes onsite and recovers the firmware by dumping the flash of the device.

Your mission is to uncover the backdoor and find the hidden user + password on the system. 

Like in the previous challenges the first step I’ll do is to extract the content of the firmware image

After the firmware extraction is complete I’ll browse in the squashfs-root/etc directory. From there I’ll check the rc.local file

This looks like commandinjection to setup a hidden useraccount on startup

To crack the password I’ll use again hashcat and prepare the rc.local file for cracking


hashcat -m 1800 -a 0 rc.local 1000000-password-seclist.txt

After a while the hash is cracked:

username: ssl

password: gandalf 🙂

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.