Write-up - Defcon-20-quals 2012 - Forensic 300

by @Jonathan Salwan - 2012-06-04

We download the file, then we look the file type.

$ md5sum for300-47106ef450c4d70ae95212b93f11d05d
47106ef450c4d70ae95212b93f11d05d  for300-47106ef450c4d70ae95212b93f11d05d

$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data

Ok, so, we use 'binwalk' tool for more information about this file.

$ binwalk for300-47106ef450c4d70ae95212b93f11d05d
DECIMAL       HEX       DESCRIPTION
--------------------------------------------------------------------------------------------
108           0x6C      LZMA compressed data, properties: 0x5D, dictionary size: 33554432 
                        bytes, uncompressed size: 3008436 bytes
983148        0xF006C   PackImg Tag, little endian size: 14690560 bytes; big endian size: 
                        2744320 bytes
983180        0xF008C   Squashfs filesystem, little endian, version 4.0, size: 724610815 
                        bytes, 1470 inodes, blocksize: 0 bytes, created: Sat Mar  6 
                        12:29:04 1993

Now, we know, this is a classical firmware file. So, we need to extract the Squashfs.

$ dd if=./for300-47106ef450c4d70ae95212b93f11d05d of=./extract.squashfs bs=1 skip=983180
2859008+0 records in
2859008+0 records out
2859008 bytes (2.9 MB) copied, 9.59646 s, 298 kB/s
$ file ./extract.squashfs
./extract.squashfs: Squashfs filesystem, little endian, version 4.0, 2857099 bytes, 1470 inodes, blocksize: 
131072 bytes, created: Wed May 30 23:26:52 2012
$

Now, that we have the file system, we need to extract all files. So, we need to use the unsquashfs-4 tool with the lzma module. You can download this tool here.

$ ./squashfs-tools4/unsquashfs4 ./extract.squashfs
Parallel unsquashfs: Using 2 processors
1376 inodes (1415 blocks) to write
[...]
created 1166 files
created 94 directories
created 144 symlinks
created 0 devices
created 0 fifos
$

All files is extract in squashfs-root dir.

$ cd squashfs-root
$ ls
bin  dev  etc  home  htdocs  lib  mnt  proc  sbin  sys  tmp  usr  var  www
$ ls -l
total 52K
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 bin
drwxr-xr-x  9 jonathan users 4.0K Apr 22  2011 dev
drwxr-xr-x 12 jonathan users 4.0K Apr 22  2011 etc
drwxr-xr-x  3 jonathan users 4.0K May 30 23:20 home
drwxr-xr-x 12 jonathan users 4.0K Apr 22  2011 htdocs
drwxr-xr-x  4 jonathan users 4.0K Apr 22  2011 lib
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 mnt
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 proc
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 sbin
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 sys
lrwxrwxrwx  1 jonathan users    8 Jun  3 17:15 tmp -> /var/tmp
drwxr-xr-x  5 jonathan users 4.0K Apr 22  2011 usr
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 var
drwxr-xr-x  2 jonathan users 4.0K Apr 22  2011 www

Now, we have all files from the file system.

$ cd ./home/dlink
$ ls -l
total 4.0K
-rw-r--r-- 1 jonathan users 45 May 30 23:24 key.txt
$ cat key.txt
ewe know, the sh33p always preferred Linksys
$

This challenge was extremely easy and we reports 300 points.