CSAW 2017 Best Router Writeup
This is a writeup of the Best Router challenge at CSAW 2017.
This was a simple forensics challenge worth 200 points.
We are given an archive which we can easily extract.
root@kali:/opt/ctf/csaw17/best_router# tar -xvf best_router.tar.gz
tar: Ignoring unknown extended header keyword 'LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword 'SCHILY.dev'
tar: Ignoring unknown extended header keyword 'SCHILY.ino'
tar: Ignoring unknown extended header keyword 'SCHILY.nlink'
best_router.img
We can now run binwalk on it to analyze the firmware.
root@kali:/opt/ctf/csaw17/best_router# binwalk best_router.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
4886543 0x4A900F Copyright string: "copyright does *not* cover user programs that use kernel"
...
4905514 0x4ADA2A Copyright string: "Copyright (c) 2015, Raspberry Pi (Trading) Ltd"
Looking at this output, we can see that it's a Raspberry Pi device, which we can mount by following this guide.
root@kali:/opt/ctf/csaw17/best_router# fdisk -l best_router.img
Disk best_router.img: 14.6 GiB, 15640559616 bytes, 30547968 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7f39f284
Device Boot Start End Sectors Size Id Type
best_router.img1 8192 93813 85622 41.8M c W95 FAT32 (LBA)
best_router.img2 94208 30547967 30453760 14.5G 83 Linux
We can now mount the device after calculating the offset.
root@kali:/opt/ctf/csaw17/best_router# mount -v -o offset=48234496 -t ext4 best_router.img /mnt/img/router
mount: /dev/loop0 mounted on /mnt/img/router.
After we have mounted it, we can go exploring. I first looked at the /home/ directory and found the "pi" user. We can take a look at the bash history.
root@kali:/mnt/img/router/home/pi# cat .bash_history
ls
sudo su
It looks like they switched to root, so let's check there.
root@kali:/mnt/img/router/root# cat install.sh
sudo apt-get update
sudo apt-get install apache2 -y
sudo a2enmod cgid
sudo cp 000-default.conf /etc/apache2/sites-available/000-default.conf
sudo service apache2 restart
sudo rm -rf /var/www/*
sudo mv www/* /var/www
chmod 755 /var/www/*.pl
It looks like there is an installation script to install a website. Let's check what's in that directory.
root@kali:/mnt/img/router/var/www# ls -l
total 16
-rw-r--r-- 1 root root 0 Sep 10 00:43 flag.txt
-rwxr-xr-x 1 root root 472 Sep 10 00:51 index.pl
-rwxr-xr-x 1 root root 1238 Sep 10 00:50 login.pl
-rw-r--r-- 1 1000 1000 23 Sep 10 00:49 password.txt
-rw-r--r-- 1 1000 1000 5 Sep 10 00:49 username.txt
There is an empty flag file, but there are username and password files.
root@kali:/mnt/img/router/var/www# cat username.txt
admin
root@kali:/mnt/img/router/var/www# cat password.txt
iforgotaboutthemathtest
These look useful. Let's try them on the website they gave us in the challenge prompt.
Authenticated
flag{but_I_f0rgot_my_my_math_test_and_pants}
Success!
Overall, this was a pretty simple forensics problem that required mounting the image and exploring the file system for the value content.