We covered the first hardware hacking challenge where we inspected a rootfs image and using the appropriate tools (unsquashfs) we mounted the image locally and discovered Linux directories. We searched and located the flag using the grep command. This was part of HackTheBox Photon Lockdown hardware challenge.
Challenge Description
We’ve located the adversary’s location and must now secure access to their Optical Network Terminal to disable their internet connection. Fortunately, we’ve obtained a copy of the device’s firmware, which is suspected to contain hardcoded credentials. Can you extract the password from it?
Challenge Overview
We begin by reviewing the challenge description:
“We have located the adversary’s position and must now secure access to their Optical Network Terminal (ONT) to disable their internet connection. Fortunately, we’ve acquired a copy of the device’s firmware, which is suspected to contain hardcoded credentials. Can you extract the password?”
So, we’re provided with a firmware image , likely from a networking device such as a Cisco router, a TP-Link device, or even a Linux-based embedded system.
File Setup
After downloading the challenge files, we observe the following contents:
rootfsHW_FWU
We’ll organize our workspace with a new directory:
bashCopyEditmkdir photon-lockdown
Then we move the downloaded files into that directory:
bashCopyEditcp rootfs HW_ FWU photon-lockdown/
cd photon-lockdown
File Analysis
We start identifying each file:
bashCopyEditfile FWU
Result: ASCII text — likely just version info.
bashCopyEditcat FWU
Output: 3.0.5 — probably the firmware version.
bashCopyEditfile HW_
Result: XZ archive data.
bashCopyEditfile rootfs
Result:
nginxCopyEditSquashFS filesystem, little endian, version 4.0, zlib compressed, approx. 10MB
This indicates a SquashFS image, commonly used to store compressed filesystems — particularly in embedded Linux systems.
What is SquashFS?
If you’re unfamiliar with SquashFS:
SquashFS is a compressed read-only file system, typically used in embedded devices and Internet of Things (IoT) systems. It’s optimized for minimal storage and is often used to package a subset of an operating system into a single compressed image.
In our case, the rootfs file contains such a compressed Linux environment.
Extracting the Root Filesystem
To extract the contents of a SquashFS file, we need the unsquashfs tool. On most Linux systems, it’s part of the squashfs-tools package.
You can install it with:
bashCopyEditsudo apt install squashfs-tools
Then, create a destination folder to extract the contents:
bashCopyEditmkdir contents
sudo unsquashfs -d contents rootfs
Exploring the Filesystem
Navigate into the extracted directory:
bashCopyEditcd contents
ls
You’ll see a familiar Linux directory structure:
bin/dev/etc/home/img/
… and more.
This confirms that rootfs contains a partial Linux OS filesystem, selectively compressed for deployment.
Objective: Extract the Flag
At this stage, our goal is to locate a plaintext password or flag. In real-world scenarios (such as penetration testing or CTFs), this simulates the process of:
- Accessing a compromised device.
- Mounting/extracting the firmware.
- Searching for sensitive information like hardcoded credentials.
This is often part of privilege escalation, where stored secrets or config files help move to higher privilege levels within a system.
You can now proceed to explore directories like /etc/, /home/, or custom paths that might contain configuration files, user data, or flags.
Video Walkthrough
