Analyzing Router Firmware P4

Challenge 4 – Investigating Modifications

Original and modified OpenWRT router firmware are provided to us (openwrt-ar750-sysupgrade.bin.orig and openwrt-ar750-sysupgrade.bin respectively). Analyze the firmware and answer the following questions:

  1. When was the libc package was added in modified firmware? Provide the time in DD/MM/YY HH:MM:SS PM format (GMT).
  2. A file was modified to add a backdoor to the firmware. Provide the name the file.
  3. A newly added file contains a token for Amazon cloud. Locate that file and retrieve the token.

Let’s begin 😎

After extraction of both firmware files, I need a tool to compare and locate file changes.

For that I’ll use the git diff command

git diff --no-index _openwrt-ar750-sysupgrade.bin.orig.extracted/ _openwrt-ar750-sysupgrade.bin.extracted/

  • When was the libc package was added in modified firmware? Provide the time in DD/MM/YY HH:MM:SS PM format (GMT).

To answer this question I need a converter to get the GMT time format. This was also part of another challenge to get a ticket for the Bsides event in London last year.

  • A file was modified to add a backdoor to the firmware. Provide the name the file.

It’s the file rc.local. We can see a netcat listener on port 30000

  • A newly added file contains a token for Amazon cloud. Locate that file and retrieve the token

Amazon token is: 65eb14e6f3c3475d6b00867c2f0e4a3c

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*