We covered the first hardware hacking challenge where we inspected a rootfs image and using the appropriate tools (unsquashfs) we mounted the image locally and discovered Linux directories. We searched and located the flag using the grep command. This was part of HackTheBox Photon Lockdown hardware challenge.

Challenge Description

We’ve located the adversary’s location and must now secure access to their Optical Network Terminal to disable their internet connection. Fortunately, we’ve obtained a copy of the device’s firmware, which is suspected to contain hardcoded credentials. Can you extract the password from it?

Get Blue Team Notes

Video Transcript

What’s going on, guys? Welcome back to this video. Today we’re doing hack the box and I’m heading over to challenges. From here, we’re going to solve one of the hardware challenges today. I’m picking up the first one, which is Photo and Lockdown since it is the easiest one and since we are just getting started with the hardware challenges. Let’s go to the challenge and here we read it through the description. We have located the adversary’s location and must now secure access to their optical network terminal to disable their internet connection. Fortunately, we have obtained a copy of the device’s firmware, which is suspected to contain hardcoded credentials, can extract the password. So we’re given a firmware image. So it could be a firmware of a networking device like Cisco, a regular router like TPA link router maybe, or could be a firmware image of an operating system such as Linux. We can download the files and here I have downloaded the files to my machine. As you can see we have these files root s s, hw_ and this one. We’re going to move all of these into one directory, so make directory and we’re going to say, ‘photon-lockdown’.

Okay, into that directory we’re going to move the root s and the other files. So we’re going to say cp_root_fs and FWU, additionally, HW_ into PhotonLogdown. Okay, ls or cd to PhotonLogdown now. We have the files, so here. We want to know what files, what’s the nature of these files. We start with file, FWU. This is a text, ask a text file. If we cut fw to the contents, it’s 3.0.5. Perhaps this is the version of the framework. If we cut HW, it’s X1 file. It’s X1 archive data. Okay, so not much to do with these two files. Therefore, we’re going to move over to root FS. File, root FS. We have this description, Squash FS file system. Little endian version 4.0, ZLIP Compressed. We have the size, around 10 megabytes. And this is the date 1 October. All right, so this is a Squash FS-Fi system. Now you may not have heard of Squash FS-Fi system before, and therefore you can use Google. But I am here to save you the time and not go to waste yourself into the million of pages. So root FS-Fi system is a type of file system that contains a compressed version of an operating system.

So, for example, this Linux operating system I’m using, I can compress all of the files, all of the directories in a root FS file. And then I can take this image and use it anywhere else. It’s commonly used in embedded systems. If you have an Internet of Things device, such as it could be a microprocessor, it could be any Internet of Things device that’s required you to have an operating system. Since size is important, I cannot go about compressing any operating system, using any tool like DD or anything else. I need something that saves me some space. So we use Squash-FS-FI system to create a compressed version of specific directories that you want to use somewhere else, such as in an embedded system. So root-FS comes to the rescue. And using root-FS, you can use specific directories, and you can compress specific directories in your operating system and move them somewhere else for use. So how to do that? You can do the SquashFS tool. Okay, just squash, unsquash. So Unsquash, it is the tool that uncompresses the archive. Squashfs is the tool that creates the archive. I don’t know why it’s not working. Maybe I don’t have it.

Let me try to install this. Okay, if it is. All right, so maybe we have to google this a bit to find the correct naming for the tool. So nevertheless, it’s not in the scope of this video. We don’t want to create a file. We already have a file. We want to extract the contents. So assume that you are somehow inspecting the contents of an embedded system. And you want to connect to an independent system and find the contents of the operating system it uses. So you will find root FS file definitely. So this file is found in embedded systems most of the time. So it’s useful if you know how to extract this file. So unsquash FS, and then the syntax. By pressing enter, you can take a look at the options and the arguments required. Let me save you some time. So since we created a specific directory to host the contents of the FHIR system, we’re going to create another one. So make directory contents. Okay, and we’re going to say, unsquash ss. And that is with dash d, we specify the destinations. Or the destination to which the contents of the FHIR system will be the template to be counted.

So the destination will be ‘contents directory’. Contents. And then we specify the file, the file is root FS. So we have some permissions problem. We’re going to use pseudo. All right, so lscd_contents. And as you can see, we have directories. Let’s take a look at the structure. So we have BIM, Dev, etc, Home, Image. These directories are very common in any Linux operating system. Okay, so this means that rootFS represents a squash image or a compressed file of an entire operating system, Linux operating system. All right, so the author selected specific directories, as you can see, only specific directories to compress and mount into the file. So our job here is to find the flag, as you know. So there are some directories we can look in, but the thing is we want a fast way. This simulates a process where you are looking for a plain text password. Imagine you are conducting a privilege escalation or you have compromised the machine and you have seen this before in previous videos where we are doing a CTF challenge. We have obtained Shell and now we want to escalate the privileges. So part of getting the privileges is looking for plain text passwords.

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles