San Institute regularly creates a Christmas holiday hack challenge.
These challenges are a good way to try out new techniques or grow your knowledge in some new area.
As I get time to tackle the challenges I will write up my solution, frustrations and share any techniques that may come in handy for future challenges.
After submitting the text (GnomeNET-NorthAmerica) found in the image from Josh’s pcap file, we are told to speak to Jessica (in the next room). Jessica has a firmware dump of one of the gnomes. Josh mentions that the file contains a password.
Challenge site tips:
3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?
4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?
Binwalk might be a good tool to help examine the firmware dump.
$ binwalk giyh-firmware-dump.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PEM certificate 1809 0x711 ELF 32-bit LSB shared object, ARM, version 1 (SYSV) 168803 0x29363 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 17376149 bytes, 4866 inodes, blocksize: 131072 bytes, created: Tue Dec 8 10:47:32 2015
Extract the dump file contents (Squashfs file)
$ binwalk -Me giyh-firmware-dump.bin
Extract contents of Squashfs to /tmp/firmware
$ unsquashfs -f -d /tmp/firmware _giyh-firmware-dump.bin.extracted/29363.squashfs Parallel unsquashfs: Using 2 processors 3936 inodes (5763 blocks) to write [==| ] 201/5763 3% [==================================================================================\] 5763/5763 100% created 3899 files created 930 directories created 37 symlinks created 0 devices created 0 fifos
$ ls /tmp/firmware bin etc init lib mnt opt overlay rom root sbin tmp usr var www
Looking at autorun services
$ ls -la etc/rc.d/ total 8 lrwxrwxrwx 1 root root 16 Dec 14 15:50 S97mongod -> ../init.d/mongod lrwxrwxrwx 1 root root 21 Dec 14 15:50 S98gpio_switch -> ../init.d/gpio_switch lrwxrwxrwx 1 root root 16 Dec 14 15:50 S98nodejs -> ../init.d/nodejs
S97mondod starts Mongodb database
S98nodejs starts nodejs web framework
# LOUISE: No logging, YAY for /dev/null # AUGGIE: Louise, stop being so excited to basic Unix functionality # LOUISE: Auggie, stop trying to ruin my excitement! systemLog: destination: file path: /dev/null logAppend: true storage: dbPath: /opt/mongodb net: bindIp: 127.0.0.1
Lets try our luck and see if simple ‘strings’ command and ‘grep’ can find a reference to passwords in the mongodb file
$ strings opt/mongodb/gnome.0 |grep pass -C 2 username user password user user_level username admin password SittingOnAShelf user_level
Jessica confirms that SittingOnAShelf is the correct flag.
The OS used by the gnomes is Linux and the CPU type is ARM. The web framework is nodejs.
The database is mongodb and the plaintext password stored in the db in ‘SittingOnAShelf’