Challenge 3 – hidden backdoor
A massive breach was detected at an insurance company. Their admin suspects that their Wi-Fi routers were compromised and have backdoors installed in them. Unfortunately, they have no clue how to go about uncovering it. Your colleague goes onsite and recovers the firmware by dumping the flash of the device.
Your mission is to uncover the backdoor and find the hidden user + password on the system.
Like in the previous challenges the first step I’ll do is to extract the content of the firmware image
After the firmware extraction is complete I’ll browse in the squashfs-root/etc directory. From there I’ll check the rc.local file
This looks like commandinjection to setup a hidden useraccount on startup
To crack the password I’ll use again hashcat and prepare the rc.local file for cracking
hashcat -m 1800 -a 0 rc.local 1000000-password-seclist.txt
After a while the hash is cracked:
password: gandalf 🙂