{"id":696,"date":"2020-08-18T23:48:06","date_gmt":"2020-08-18T22:48:06","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=696"},"modified":"2020-09-07T21:25:54","modified_gmt":"2020-09-07T20:25:54","slug":"analyzing-router-firmware-p3","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=696","title":{"rendered":"Analyzing Router Firmware P3"},"content":{"rendered":"

Challenge 3 – hidden backdoor<\/strong><\/p>\n

A massive breach was detected at an insurance company. Their admin suspects that their Wi-Fi routers were compromised and have backdoors installed in them. Unfortunately, they have no clue how to go about uncovering it. Your colleague goes onsite and recovers the firmware by dumping the flash of the device.<\/p>\n

Your mission is to uncover the backdoor and find the hidden user + password on the system.\u00a0<\/b><\/p><\/blockquote>\n

Like in the previous challenges the first step I’ll do is to extract the content of the firmware image<\/p>\n

\"\"<\/a><\/p>\n

After the firmware extraction is complete I’ll browse in the squashfs-root\/etc directory. From there I’ll check the rc.local file<\/p>\n

\"\"<\/a><\/p>\n

This looks like commandinjection to setup a hidden useraccount on startup<\/p>\n

\"\"<\/a><\/p>\n

To crack the password I’ll use again hashcat and prepare<\/strong> the rc.local file for cracking<\/p>\n

ssl:$6$2jX357gX$atKiUd8KtjITKXF.osCPbU8sUt2hVcxHjVvhm96gyrFzLU17wDXNRTPsycLUTNzm6WdOg2TjCbLzeEXn9nzB0\/:17799:0:99999:7:::<\/code><\/p>\n

hashcat -m 1800 -a 0 rc.local 1000000-password-seclist.txt<\/code><\/strong><\/p>\n

\"\"<\/a><\/p>\n

After a while the hash is cracked:<\/p>\n

\"\"<\/a><\/p>\n

username: ssl<\/p>\n

password: gandalf \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

Challenge 3 – hidden backdoor A massive breach was detected at an insurance company. Their admin suspects that their Wi-Fi routers were compromised and have […]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,4,17,16],"tags":[],"class_list":["post-696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-hacking","category-iot-stuff","category-linux"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=696"}],"version-history":[{"count":2,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/696\/revisions"}],"predecessor-version":[{"id":703,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/696\/revisions\/703"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/664"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}