---

Home
Blog
Chat

---

HackTheBox “The Needle” Writeup

Difficulty: Very Easy
Medium: Firmware.bin and a Hosted machine
Machine Description: “As a part of our SDLC process, we’ve got out firmware ready for security testing. Can you help us by performing a security assessment?”

Ok, so where do we start?
Let’s take a look at the machine. I usually start by telneting into the open port and seeing the response.
Looks like it’s just a plain telnet console! It’s asking us for a login, which we don’t know yet.
Since we can’t progress further through here, let’s take a look at Firmware.bin.

First thing to do is to see what is stored in the .bin file. We do this with binwalk firmware.bin:

Looks like it’s a SquashFS filesystem! We now need to decompress it. To do this we use
binwalk -e firmware.bin. This spits out the folder _firmware.bin.extracted.

Going into this folder we see a variety of files and folders. Our goal is to find the telnet login for the machine, so let’s start by using grep -r telnet:
grep -r shows all instances of the string in all directories from the current directory. Looking at the output, we see two main files: telnetd.sh and squashfs-root/etc/scripts/telnetd.sh. These files are exact clones of each other, and both are the service startup script for the telnet server running on the machine. Let’s ignore teelnetd.sh and focus on the squashfs one, since it’ll make later steps easier.

There’s a specific line showing in the grep results that we should be paying attention to:
squashfs-root/etc/scripts/telnetd.sh: telnetd -l "user/sbin/login" -u Device_Admin:$sign
telnetd is the command that initiates the server. -l specifies the login program, which we can ignore here. -u specifies the login credentials that users can login with, which is what we are looking for! Looks like the username is Device_Admin, and the password is $sign?

$sign is actually a shell variable. If we cat the whole telnetd.sh file, we can see it’s declared here:
sign='cat /etc/config/sign' The password is the contents of a file stored at `/etc/config/sign’ in the squashfs filesystem.

lets cd squashfs-root/etc/config; cat sign:

Wow! That looks like it could be a password! Let’s try out the credentials we found on the actual machine:
Success! We logged in! From here, we do an ls and see the flag sitting there. cat the flag and there we are! That’s the challenge complete!