Holiday Hack 2015, Part 2

Gnome in Your Home - The 2015 SANS Holiday Hack Challenge

Part 2: I?ll be Gnome for Christmas:

Firmware Analysis for Fun and Profit

Answer the following: 1. What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in? 2.What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?

We’ve been given a .bin file from Jessica Dosis, our mission, to answer our questions. I haven’t done a lot of firmware analysis, but luckily we’ve been given some good resources by the counter-hack team! Nothing like learning on the job.

  1. Loading up binwalk with our file, we get a nice place to start almost immediately. Looks like we’re dealing with an ARM processor!
  2. This also gives us an idea where the OS resides in the .bin so we can extract it. Using dd if=giyh-firmware-dump.bin of=filesys.dump.squashfs skip=168803 bs=1, we skip to the start of the partition and extract it.
  3. To extract the filesystem from the partition, we need a tool called firmware-mod-kit. In my case, I had to install it on my Kali machine, but all it took was a simple apt-get install firmware-mod-kit. Since know we’re dealing with a squashfs file system, the command of choice is the unsquashfs_all.sh, which will attempt all squashfs versions until one works.
  4. We now have a filesystem we can dive into and investigate! Diving in, we find our typical directories expected in an OS. We’re looking for database and webserver files, so the www and opt dirs are probably of interest.
  5. Inside the opt directory, we find only a single folder, mongodb, which answers the question about what kind of db the gnome is using.
  6. Opening up the mongodb folder, we find the db files. Running strings on them quickly reveals our username/password combo. (Note: The strings output has been put through grep for the sake of making a cleaner image. Screenshot shows the -B1 flag, when really it should be the -A1 for the line after).
  7. Back to our root dir, the WWW directory seems like a good place to start for answering which type of webserver gnome is using. Once in the www dir, we see a folder called ==node_modules==, a very good indication that we’re dealing with a ==node.js== server. This can be further confirmed by looking in the /etc/init.d dir, where we find startup scripts for both mongodb and nodejs.
  8. Lastly, we need to answer the question of what operating system the gnome is running. We know its an ARM based, but what is it exactly? Back in our /etc dir, there are several files with “openwrt” in them, a popular embedded device OS. A quick look at the openwrt_release file gives us all we need to know.

Tags

api-gateway aws bot fleet-management getting-started holiday-hack-2015 kolide lambda osquery powershell python splunk terraform

Recent posts

Osquery and Splunk - a logging pipeline

Monitoring and Alerting with SGT. and StreamAlert - Part 1

Deploying Osquery Part 2 - The basics, cont.

Deploying Osquery Part 1 - The basics

Lambdabot


Related posts

Lambdabot

Holiday Hack 2015, Part 3


Archives

2019 (1)
2018 (1)
2017 (3)
2016 (2)
2015 (1)