Challenge 4 – Investigating Modifications
Original and modified OpenWRT router firmware are provided to us (openwrt-ar750-sysupgrade.bin.orig and openwrt-ar750-sysupgrade.bin respectively). Analyze the firmware and answer the following questions:
- When was the libc package was added in modified firmware? Provide the time in DD/MM/YY HH:MM:SS PM format (GMT).
- A file was modified to add a backdoor to the firmware. Provide the name the file.
- A newly added file contains a token for Amazon cloud. Locate that file and retrieve the token.
Let’s begin 😎
After extraction of both firmware files, I need a tool to compare and locate file changes.
For that I’ll use the git diff command
git diff --no-index _openwrt-ar750-sysupgrade.bin.orig.extracted/ _openwrt-ar750-sysupgrade.bin.extracted/
- When was the libc package was added in modified firmware? Provide the time in DD/MM/YY HH:MM:SS PM format (GMT).
To answer this question I need a converter to get the GMT time format. This was also part of another challenge to get a ticket for the Bsides event in London last year.
- A file was modified to add a backdoor to the firmware. Provide the name the file.
It’s the file rc.local. We can see a netcat listener on port 30000
- A newly added file contains a token for Amazon cloud. Locate that file and retrieve the token
Amazon token is: 65eb14e6f3c3475d6b00867c2f0e4a3c
Schreib einen Kommentar