Dillon Korman

CSAW 2017 Best Router Writeup

Dillon Korman -

This was a simple forensics challenge worth 200 points.

We are given an archive which we can easily extract.

root@kali:/opt/ctf/csaw17/best_router# tar -xvf best_router.tar.gz 
tar: Ignoring unknown extended header keyword 'LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword 'SCHILY.dev'
tar: Ignoring unknown extended header keyword 'SCHILY.ino'
tar: Ignoring unknown extended header keyword 'SCHILY.nlink'
best_router.img

We can now run binwalk on it to analyze the firmware.

root@kali:/opt/ctf/csaw17/best_router# binwalk best_router.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
4886543       0x4A900F        Copyright string: "copyright does *not* cover user programs that use kernel"
...
4905514       0x4ADA2A        Copyright string: "Copyright (c) 2015, Raspberry Pi (Trading) Ltd"

Looking at this output, we can see that it's a Raspberry Pi device, which we can mount by following this guide.

root@kali:/opt/ctf/csaw17/best_router# fdisk -l best_router.img
Disk best_router.img: 14.6 GiB, 15640559616 bytes, 30547968 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7f39f284

Device           Boot Start      End  Sectors  Size Id Type
best_router.img1       8192    93813    85622 41.8M  c W95 FAT32 (LBA)
best_router.img2      94208 30547967 30453760 14.5G 83 Linux

We can now mount the device after calculating the offset.

root@kali:/opt/ctf/csaw17/best_router# mount -v -o offset=48234496 -t ext4 best_router.img /mnt/img/router
mount: /dev/loop0 mounted on /mnt/img/router.

After we have mounted it, we can go exploring. I first looked at the /home/ directory and found the "pi" user. We can take a look at the bash history.

root@kali:/mnt/img/router/home/pi# cat .bash_history 
ls
sudo su

It looks like they switched to root, so let's check there.

root@kali:/mnt/img/router/root# cat install.sh 
sudo apt-get update
sudo apt-get install apache2 -y
sudo a2enmod cgid

sudo cp 000-default.conf /etc/apache2/sites-available/000-default.conf
sudo service apache2 restart

sudo rm -rf /var/www/*
sudo mv www/* /var/www
chmod 755 /var/www/*.pl

It looks like there is an installation script to install a website. Let's check what's in that directory.

root@kali:/mnt/img/router/var/www# ls -l
total 16
-rw-r--r-- 1 root root    0 Sep 10 00:43 flag.txt
-rwxr-xr-x 1 root root  472 Sep 10 00:51 index.pl
-rwxr-xr-x 1 root root 1238 Sep 10 00:50 login.pl
-rw-r--r-- 1 1000 1000   23 Sep 10 00:49 password.txt
-rw-r--r-- 1 1000 1000    5 Sep 10 00:49 username.txt

There is an empty flag file, but there are username and password files.

root@kali:/mnt/img/router/var/www# cat username.txt
admin
root@kali:/mnt/img/router/var/www# cat password.txt 
iforgotaboutthemathtest

These look useful. Let's try them on the website they gave us in the challenge prompt.

Authenticated

flag{but_I_f0rgot_my_my_math_test_and_pants}

Success!

Overall, this was a pretty simple forensics problem that required mounting the image and exploring the file system for the value content.