Binaries & IoT Range 20230318
題目:
題目:
題目:
題目:
題目:
題目:
題目:
題目:
要注意Challenge 13 What are last 6 hex characters of the hash of RootFlagTwo.txt on machine 172.25.120.220? (Hint: MD5 Hash)是沒有解答的,這環境無法複現。
IoT Range
先解IoT Range的Target Machine 3: 172.25.120.100,相關問題:
8 (Challenge 18) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and identify the compression algorithm.
9 (Challenge 19) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and enter the year of the image?
10 (Challenge 20) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and find the total number of inodes of the file system?
11 (Challenge 21) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image File2.bin and find the image CRC (include 0x).
12 (Challenge 22) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image File2.bin and determine the original file name.
13 (Challenge 23) What is the address (numbers only of the file system loader offset in File2.bin?
14 (Challenge 24) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image IOT.bin and find the password of the admin user. (hint: not the one in plain text)
15 (Challenge 25) On the Target Machine 3 (172.25.120.100), analyze IOT firmware image IOT.bin, what is the web_passwd of the useranonymous (include all characters)?
先ssh連進去
┌──(root㉿kali)-[~]
└─# ssh student@172.16.120.100
The authenticity of host '172.16.120.100 (172.16.120.100)' can't be established.
ED25519 key fingerprint is SHA256:wi2p5bRPH6p9YLemyU2vB5hdHMMqFH4xWJKODwVGBiY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.120.100' (ED25519) to the list of known hosts.
student@172.16.120.100's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 03 Apr 2023 07:18:35 AM UTC
System load: 0.0 Processes: 145
Usage of /: 12.0% of 61.51GB Users logged in: 1
Memory usage: 19% IPv4 address for eth0: 172.16.120.100
Swap usage: 0%
36 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
*** System restart required ***
Last login: Fri Jan 7 14:49:54 2022 from 172.16.0.1
student@ub20-iot:~$
Challenge 18: (30 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and identify the compression algorithm. Ans: LZMA
student@ub20-iot:~$ ls
FileOne.bin FileTwo.bin IOT.bin
student@ub20-iot:~$ binwalk FileOne.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
48 0x30 Unix path: /dev/mtdblock/2
96 0x60 uImage header, header size: 64 bytes, header CRC: 0x7FE9E826, created: 2010-11-23 11:58:41, image size: 878029 bytes, Data Address: 0x80000000, Entry Point: 0x802B5000, data CRC: 0x7C3CAE85, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
160 0xA0 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2956312 bytes
917600 0xE0060 PackImg section delimiter tag, little endian size: 7348736 bytes; big endian size: 2256896 bytes
917632 0xE0080 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 2256151 bytes, 1119 inodes, blocksize: 65536 bytes, created: 2010-11-23 11:58:47
在decimal的96跟160,有LZMA。
Challenge 19: (30 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and enter the year of the image? Ans: 在decimal的96,是2010。
Challenge 20: (30 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image FileOne.bin and find the total number of inodes of the file system?
Ans: 指的是檔案系統(file system)的inode,就是decimal 917632,是1119。
student@ub20-iot:~$ binwalk FileTwo.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 BIN-Header, board ID: 1550, hardware version: 4702, firmware version: 1.0.0, build date: 2012-02-08
32 0x20 TRX firmware header, little endian, image size: 7753728 bytes, CRC32: 0x436822F6, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x192708, rootfs offset: 0x0
60 0x3C gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2016-03-09 08:08:31
1648424 0x192728 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 6099215 bytes, 447 inodes, blocksize: 65536 bytes, created: 2016-03-10 04:34:22
Challenge 21: (25 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image File2.bin and find the image CRC (include 0x). Ans: 看decimal 32,有CRC32: 0x43....,答案就是0x43。
Challenge 22: (25 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image File2.bin and determine the original file name. Ans: 看decimal 60,has original file name: "piggy"。
Challenge 23: (40 Points)
What is the address (numbers only of the file system loader offset in File2.bin?
Ans: 看decimal 32,rootfs offset: 0x0,loder offset: 0x1C。(rootfs: root file system)
開始要分析IOT firmware image IOT.bin:
Challenge 24: (50 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image IOT.bin and find the password of the admin user. (hint: not the one in plain text) Ans: 1234
首先看看binwalk怎麼用:
student@ub20-iot:~$ binwalk --help
Binwalk v2.2.0
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
Extraction Options:
-e, --extract Automatically extract known file types
-D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka Recursively scan extracted files
-d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> Limit the size of each extracted file
-n, --count=<int> Limit the number of extracted files
-r, --rm Delete carved files after extraction
-z, --carve Carve data from files, but don't execute extraction utilities
-V, --subdirs Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy Calculate file entropy
-F, --fast Use faster, but less detailed, entropy analysis
-J, --save Save plot as a PNG
-Q, --nlegend Omit the legend from the entropy plot graph
-N, --nplot Do not generate an entropy plot graph
-H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump Perform a hexdump / diff of a file or files
-G, --green Only show lines containing bytes that are the same among all files
-i, --red Only show lines containing bytes that are different among all files
-U, --blue Only show lines containing bytes that are different among some files
-u, --similar Only display lines that are the same between all files
-w, --terse Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate Scan for raw deflate compression streams
-Z, --lzma Scan for raw LZMA compression streams
-P, --partial Perform a superficial, but faster, scan
-S, --stop Stop after the first result
General Options:
-l, --length=<int> Number of bytes to scan
-o, --offset=<int> Start scan at this file offset
-O, --base=<int> Add a base address to all printed offsets
-K, --block=<int> Set file block size
-g, --swap=<int> Reverse every n bytes before scanning
-f, --log=<file> Log results to file
-c, --csv Log results to file in CSV format
-t, --term Format output to fit the terminal window
-q, --quiet Suppress output to stdout
-v, --verbose Enable verbose output
-h, --help Show help output
-a, --finclude=<str> Only scan files whose names match this regex
-p, --fexclude=<str> Do not scan files whose names match this regex
-s, --status=<int> Enable the status server on the specified port
用-e參數解壓縮,進去解壓縮後出現的_IOT.bin.extracted,再進去squashfs-root:
student@ub20-iot:~$ binwalk -e IOT.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
256 0x100 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4300896 bytes
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -le -d 'squashfs-root-0' '%e'' might not be installed correctly
WARNING: Extractor.execute failed to run external extractor 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'': [Errno 2] No such file or directory: 'sasquatch', 'sasquatch -p 1 -be -d 'squashfs-root-0' '%e'' might not be installed correctly
1418962 0x15A6D2 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 8252568 bytes, 1762 inodes, blocksize: 131072 bytes, created: 2015-01-24 10:52:26
student@ub20-iot:~$ ls
FileOne.bin FileTwo.bin IOT.bin _IOT.bin.extracted
student@ub20-iot:~$ ls -l
total 20132
-rw-r--r-- 1 root root 3174528 Jan 7 2022 FileOne.bin
-rw-r--r-- 1 root root 7754752 Jan 7 2022 FileTwo.bin
-rw-r--r-- 1 root root 9671530 Jan 26 2015 IOT.bin
drwxrwxr-x 3 student student 4096 Apr 3 08:28 _IOT.bin.extracted
student@ub20-iot:~$ cd _IOT.bin.extracted
student@ub20-iot:~/_IOT.bin.extracted$ ls -l
total 21716
-rw-rw-r-- 1 student student 4300896 Apr 3 08:28 100
-rw-rw-r-- 1 student student 9671274 Apr 3 08:28 100.7z
-rw-rw-r-- 1 student student 8252568 Apr 3 08:28 15A6D2.squashfs
drwxr-xr-x 12 student student 4096 Jan 24 2015 squashfs-root
student@ub20-iot:~/_IOT.bin.extracted$ cd squashfs-root/
student@ub20-iot:~/_IOT.bin.extracted/squashfs-root$ ls -l
total 44
drwxr-xr-x 2 student student 4096 Jan 24 2015 bin
drwxr-xr-x 4 student student 4096 Jan 24 2015 boaroot
drwxr-xr-x 6 student student 4096 Jan 24 2015 dev
lrwxrwxrwx 1 student student 8 Jan 24 2015 etc -> /tmp/etc
-rw-r--r-- 1 student student 16 Jan 24 2015 firmware_version
drwxr-xr-x 4 student student 4096 Jan 24 2015 lib
lrwxrwxrwx 1 student student 11 Jan 24 2015 linuxrc -> bin/busybox
drwxr-xr-x 2 student student 4096 Jan 24 2015 proc
drwxr-xr-x 2 student student 4096 Jan 24 2015 sbin
drwxr-xr-x 2 student student 4096 Jan 24 2015 sys
drwxr-xr-x 3 student student 4096 Jan 24 2015 tmp
drwxr-xr-x 4 student student 4096 Jan 24 2015 userfs
drwxr-xr-x 8 student student 4096 Jan 24 2015 usr
lrwxrwxrwx 1 student student 8 Jan 24 2015 var -> /tmp/var
總之用find -name指令找找看密碼相關文件,不然目錄太多了:
student@ub20-iot:~/_IOT.bin.extracted$ ls
100 100.7z 15A6D2.squashfs squashfs-root
student@ub20-iot:~/_IOT.bin.extracted$ find -name passwd
./squashfs-root/usr/bin/passwd
./squashfs-root/usr/etc/passwd
student@ub20-iot:~/_IOT.bin.extracted$ cat ./squashfs-root/usr/etc/passwd
admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh
用google,答案是1234。
用hashcat爆破實際操作流程:
辨識雜湊的加密演算法,用以下網站:
Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512, Wordpress, Bcrypt hashes for free online
辨識出應是md5,接下來用hashcat,-m的參數後面會接加密演算法,可以參考下圖:
-a後面接0是字典攻擊,剛剛的密文存在hash這個檔案裡。hash這檔案只存了$1$$iC.dUsGpxNNJGeOm1dFio/這一串被加密的字串,不是把剛剛cat出來的整串都拿去解密。
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# hashcat -a 0 -m 500 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-penryn-Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz, 1433/2931 MB (512 MB allocatable), 1MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache building /usr/share/wordlists/rockyou.txt: 33553434 bytes (23.98Dictionary cache building /usr/share/wordlists/rockyou.txt: 67106869 bytes (47.96Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$1$$iC.dUsGpxNNJGeOm1dFio/:1234
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$$iC.dUsGpxNNJGeOm1dFio/
Time.Started.....: Mon May 8 05:03:19 2023 (1 sec)
Time.Estimated...: Mon May 8 05:03:20 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1797 H/s (12.24ms) @ Accel:128 Loops:500 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1152/14344385 (0.01%)
Rejected.........: 0/1152 (0.00%)
Restore.Point....: 1024/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:500-1000
Candidate.Engine.: Device Generator
Candidates.#1....: kucing -> summer1
Hardware.Mon.#1..: Util:100%
Started: Mon May 8 05:02:36 2023
Stopped: Mon May 8 05:03:21 2023
可知是1234。
如果是用John the Ripper就更簡單,就可以整串複製,所以hash_1檔案內容如下
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# cat hash_1
admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh
也不必去查是哪一種加密方式,直接解密即可:
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format="crypt" hash_1
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 2 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
1234 (admin)
1g 0:00:00:00 DONE (2023-05-08 06:01) 5.263g/s 6063p/s 6063c/s 6063C/s dancer1..summer1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Challenge 25: (50 Points)
On the Target Machine 3 (172.25.120.100), analyze IOT firmware image IOT.bin, what is the web_passwd of the useranonymous (include all characters)?
要用grep指令來找字串出現在哪個檔案,參數用-nir,原因:
-n:顯示匹配行的行號。
-i:忽略大小寫進行匹配。
-r:遞歸查找子目錄中的文件。
student@ub20-iot:~/_IOT.bin.extracted$ grep -nir anonymous
squashfs-root/boaroot/cgi-bin/PWD_password.asp:122: //cf.sysOldPasswd.value = "anonymous";
squashfs-root/boaroot/cgi-bin/PWD_password.asp:123: cf.temp_pwd_old.value = "anonymous";
squashfs-root/boaroot/cgi-bin/PWD_password.asp:128: //cf.sysNewPasswd.value = "anonymous";
squashfs-root/boaroot/cgi-bin/PWD_password.asp:129: //cf.sysConfirmPasswd.value = "anonymous";
squashfs-root/boaroot/cgi-bin/PWD_password.asp:130: cf.temp_pwd_new.value = "anonymous";
Binary file squashfs-root/bin/busybox matches
Binary file squashfs-root/lib/libbigballofmud.so matches
Binary file squashfs-root/lib/libc.so.0 matches
squashfs-root/usr/etc/bftpd.conf:46: ANONYMOUS_USER="yes"
squashfs-root/usr/etc/bftpd.conf:49:user anonymous {
squashfs-root/usr/etc/bftpd.conf:50: #If the client wants anonymous, ftp is taken instead.
squashfs-root/usr/script/ftp.sh:59: ANONYMOUS_USER=\"$AUTH\"
squashfs-root/usr/script/ftp.sh:64: ANONYMOUS_USER=\"yes\"
squashfs-root/usr/script/ftp.sh:67:user anonymous {
squashfs-root/usr/script/ftp.sh:68: #If the client wants anonymous, ftp is taken instead.
squashfs-root/userfs/string2.conf:2212:VoIPCallAnonymousText=Anonymous call blocking
squashfs-root/userfs/string2.conf:2213:VoIPCallAnonymous0Text=Enable
squashfs-root/userfs/string2.conf:2214:VoIPCallAnonymous1Text=Disable
squashfs-root/userfs/string2.conf:2215:VoIPCallAnonycallingText=Anonymous calling
squashfs-root/userfs/string2.conf:2529:HelpVoIPAnonyText=Anonymous call blocking</i></b> When you enables anonymous call blocking, the device will reject an anonymous call automatically.
squashfs-root/userfs/string2.conf:2530:HelpVoIPAnony1Text=Anonymous calling</i></b> Anonymous call is that user can make a call with an anonymous caller ID. When user make call to a callee, the callee's phone will not show the caller's number.
squashfs-root/userfs/string1.conf:2214:VoIPCallAnonymousText=Anonymous call blocking
squashfs-root/userfs/string1.conf:2215:VoIPCallAnonymous0Text=Enable
squashfs-root/userfs/string1.conf:2216:VoIPCallAnonymous1Text=Disable
squashfs-root/userfs/string1.conf:2217:VoIPCallAnonycallingText=Anonymous calling
squashfs-root/userfs/string1.conf:2531:HelpVoIPAnonyText=Anonymous call blocking</i></b> When you enables anonymous call blocking, the device will reject an anonymous call automatically.
squashfs-root/userfs/string1.conf:2532:HelpVoIPAnony1Text=Anonymous calling</i></b> Anonymous call is that user can make a call with an anonymous caller ID. When user make call to a callee, the callee's phone will not show the caller's number.
Binary file squashfs-root/userfs/bin/wpa_supplicant matches
Binary file squashfs-root/userfs/bin/tcpdump matches
Binary file squashfs-root/userfs/bin/boa matches
Binary file squashfs-root/userfs/bin/smbd matches
Binary file squashfs-root/userfs/bin/bftpd matches
squashfs-root/userfs/romfile.cfg:208: <Entry2 username="anonymous" web_passwd="anon@localhost" display_mask="FF FF F7 FF FF FF FF FF FF"/>
squashfs-root/userfs/romfile.cfg:271: <Entry0 SIPCallerIdEnable="0" SIPCallWaitingEnable="1" SIPCallForwardEnable="No" SIPCFUNumber="*11" SIPCFBNumber="*12" SIPCFNRNumber="*13" SIPCallTransfer="No" SIPBlindTransferNumber="*21" SIPAttendedTransferNumber="*22" SIP3wayConf="No" SIP3wayConfNumber="*3" SIPMWIEnable="No" SIPCallReturnEnable="No" SIPCallReturnNumber="*69" AnonymousCall="0" AnonymousCallBlock="0" SIPDNDEnable="0" SIPDNDEnableNumber="*78" SIPDNDDisableNumber="*79" DODEnable="" DODNumber="*0" SC_ACCT_ADV_ALL_CF="1"/>
squashfs-root/userfs/romfile.cfg:272: <Entry1 SIPCallerIdEnable="0" SIPCallWaitingEnable="1" SIPCallForwardEnable="No" SIPCFUNumber="*11" SIPCFBNumber="*12" SIPCFNRNumber="*13" SIPCallTransfer="No" SIPBlindTransferNumber="*21" SIPAttendedTransferNumber="*22" SIP3wayConf="No" SIP3wayConfNumber="*3" SIPMWIEnable="No" SIPCallReturnEnable="No" SIPCallReturnNumber="*69" AnonymousCall="0" AnonymousCallBlock="0" SIPDNDEnable="0" SIPDNDEnableNumber="*78" SIPDNDDisableNumber="*79" DODEnable="No" DODNumber="*0" SC_ACCT_ADV_ALL_CF="1"/>
在最下面,答案如紅圈處:
_@hueiyuan_https://static.coderbridge.com/img/hueiyuan/c4c781ce6c554697a4702b84efbcba5d.jpg)
 - Tag 標籤_@calon719_https://static.coderbridge.com/images/covers/default-post-cover-3.jpg)
