Write up: 2015 Sans Holiday Hack Challenge – Part 2

Introduction

San Institute regularly creates a Christmas holiday hack challenge.

These challenges are a good way to try out new techniques or grow your knowledge in some new area.

As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.

Challenge

After submitting the text (GnomeNET-NorthAmerica) found in the image from Josh’s pcap file, we are told to speak to Jessica (in the next room). Jessica has a firmware dump of one of the gnomes. Josh mentions that the file contains a password.

Challenge site tips:

3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?

4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?

Binwalk might be a good tool to help examine the firmware dump.

$ binwalk giyh-firmware-dump.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PEM certificate
1809 0x711 ELF 32-bit LSB shared object, ARM, version 1 (SYSV)
168803 0x29363 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 17376149 bytes, 4866 inodes, blocksize: 131072 bytes, created: Tue Dec 8 10:47:32 2015

Extract the dump file contents (Squashfs file)

$ binwalk -Me giyh-firmware-dump.bin

Extract contents of Squashfs to /tmp/firmware

$ unsquashfs -f -d /tmp/firmware _giyh-firmware-dump.bin.extracted/29363.squashfs
Parallel unsquashfs: Using 2 processors
3936 inodes (5763 blocks) to write
[==| ] 201/5763 3% [==================================================================================\] 5763/5763 100%
created 3899 files
created 930 directories
created 37 symlinks
created 0 devices
created 0 fifos
$ ls /tmp/firmware
bin etc init lib mnt opt overlay rom root sbin tmp usr var www

Looking at autorun services

$ ls -la etc/rc.d/
total 8

lrwxrwxrwx 1 root root 16 Dec 14 15:50 S97mongod -> ../init.d/mongod
lrwxrwxrwx 1 root root 21 Dec 14 15:50 S98gpio_switch -> ../init.d/gpio_switch
lrwxrwxrwx 1 root root 16 Dec 14 15:50 S98nodejs -> ../init.d/nodejs

S97mondod starts Mongodb database

S98nodejs starts nodejs web framework

cat etc/mongodb.conf

# LOUISE: No logging, YAY for /dev/null
# AUGGIE: Louise, stop being so excited to basic Unix functionality
# LOUISE: Auggie, stop trying to ruin my excitement!
systemLog:
 destination: file
 path: /dev/null
 logAppend: true
storage:
 dbPath: /opt/mongodb
net:
 bindIp: 127.0.0.1

SittingOnAShelf

Lets try our luck and see if simple ‘strings’ command and ‘grep’ can find a reference to passwords in the mongodb file

$ strings opt/mongodb/gnome.0 |grep pass -C 2
username
user
password
user
user_level
username
admin
password
SittingOnAShelf
user_level

Jessica confirms that SittingOnAShelf is the correct flag.

The OS used by the gnomes is Linux and the CPU type is ARM. The web framework is nodejs.

The database is mongodb and the plaintext password stored in the db in ‘SittingOnAShelf’

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s