The Needle is a very easy challenge in the hardware category. The challenge description is as follows:
‘As a part of our SDLC process, we’ve got our firmware ready for security testing. Can you help us by performing a security assessment?’
SHA-256 of the files necessary to download: 535191a711ea95bf58a6d64f940f9409f3af272fcfd685d0e72971e0d55ea03c.
First Steps
Let’s download the firmware.bin file – the only one provided for the challenge. A quick scan, check of the file properties and any potential valuable metadata, and open in text editor. It’s binary or unsupported text encoding – nothing obvious. We’re going to need to access and run it somehow – either on a virtual machine or software suite to match the machine instance provided. Trying the browser with ip and ip:port returns nothing.
An nmap of the instance is next, as well as a w3af scan. There’s a lot (the haystack?) of stuff hosted on the machine – MySQL, multiple Node.js, Apache, WordPress sites – a web hosting server. On port 30568 – the specific port referenced by the HackTheBox challenge – is a tcp open telnet BusyBox telnetd service. Quick read up on BusyBox – it runs firmware versions for different router boxes, the path sitting in /usr/sbin. Well, we have a firmware file. This is target numero uno – the needle in the haystack (for now).
More on BusyBox telnetd. Telnet into the instance service port. It’s asking for a login. Try a few of the standard generic combinations – nothing works. Watch a Youtube on how reset software, firmware, Bluetooth and a factory reset of a BusyBox. Not very informative.
The .bin file
So we return to the challenges .bin file – we have to open, read, view it somehow to look for any hints – factory settings, saved configuration or another target. Kali Linux has a tool called Binwalk, described as: ‘a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images.’ Let’s make sure we have it.
sudo apt install binwalk
sudo -h
sudo binwalk -e firmware.bin
This commands Binwalk to extract from the firmware.bin file a large collection of files to work with into a new folder: _firmware.bin.extracted.
Extracting the download .bin file gives us a large haystack of a filesystem.
Searching the Haystack
So I thought the haystack was the instance – looks like it’s actually the large collection folders and files above. I do a quick scan for anything that stands out- vim the BusyBox files, where I don’t find much of interest. List file pointers to a lot of locations in the /bin and /usr directory – which are both empty. The login files simply read ‘busybox’ – maybe a login or account name? Next I’ll run some grep commands to find anything matching what I might be looking for.
grep -rn “./” -e “password”
Nothing stands out regarding an obvious system or user password.
grep -rn “./” -e “login”
To dig deeper looking for anything related to a login or connection. Another needle that stands out after reading through the results:
./squashfs-root/etc/scripts/teletd.sh: telnetd -l “/usr/sbin/login” -u Device_Admin:$sign -I $lf &.
Is this a telnet login using the plain text written username Device_Admin and password?
grep -rn “./” -e “login” returning a login -u username and password link.
So I search for the sign reference, and find a sign file in the extracted director. Viola, it’s got a very obvious password only stored on a single line. So now we have Device_Admin as a telnet login and an unencrypted password from the sign file.
Logging in
We telnet back into the machine with the credentials we just found, and just like that we’re in. A quick ls returns a single file: flag.txt. cat. flag.txt prints its contents out on the terminal.
Approximate time taken was 1 hour.
Flag: HTB{4_hug3_blund3r_d289a1_!!}
Leave a Reply