{"id":309,"date":"2015-12-28T11:33:24","date_gmt":"2015-12-28T11:33:24","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=309"},"modified":"2015-12-28T14:12:55","modified_gmt":"2015-12-28T14:12:55","slug":"sans-holiday-hack-challenge-part-ii","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=309","title":{"rendered":"SANS Holiday Hack Challenge \u2013 Part II"},"content":{"rendered":"<p>So continuing from my <a href=\"http:\/\/www.herbiez.com\/?p=301\" target=\"_blank\">original post<\/a> about the SANS 2015 Hack Challenge, here is my quick write up about exercise two.<\/p>\n<p>Exercise 2<br \/>\n==========<br \/>\n&gt; What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?<br \/>\n&#8211; System<\/p>\n<p style=\"padding-left: 30px\">&#8211; DISTRIB_ID=&#8217;OpenWrt&#8217;<br \/>\n&#8211; DISTRIB_RELEASE=&#8217;Bleeding Edge&#8217;<br \/>\n&#8211; DISTRIB_REVISION=&#8217;r47650&#8242;<br \/>\n&#8211; DISTRIB_CODENAME=&#8217;designated_driver&#8217;<br \/>\n&#8211; DISTRIB_TARGET=&#8217;realview\/generic&#8217;<br \/>\n&#8211; DISTRIB_DESCRIPTION=&#8217;OpenWrt Designated Driver r47650&#8242;<br \/>\n&#8211; DISTRIB_TAINTS=&#8221;<\/p>\n<p>&#8211; CPU:\u00a0ARM version 1 (SYSV)<br \/>\n&#8211; Gnome web framework:\u00a0Looks to be node.js<\/p>\n<p>&gt; What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?<\/p>\n<p style=\"padding-left: 30px\">&#8211; MongoDB since there is a mongodb.conf file that points to dbPath: \/opt\/mongodb\/<br \/>\n&#8211; Username and Password was found using strings against the gnome.0 file<br \/>\n&#8211; username admin \/ password SittingOnAShelf<\/p>\n<p>Notes<br \/>\n=====<br \/>\n&#8211; Extracted bin file via 7Zip. Started to look around at files\/dirs.<br \/>\n&#8211; Looking through the filesystem, came across the following files that give info about the OS<\/p>\n<p style=\"padding-left: 30px\">&gt; \/etc\/openwrt_release and \/etc\/openwrt_version<\/p>\n<p>&#8211; Grepped for &#8216;shadow&#8217; and saw the path &#8211; C:\\Users\\Administrator\\Desktop\\Working\\giyh-firmware-dump\\bin\\login.sh<\/p>\n<p style=\"padding-left: 30px\">&gt; I could never find a shadow file though<\/p>\n<p>&#8211; To verify that there was no massive difference between just uncompressing the bin file via 7Zip, I also used BinWalk and DD (which based on what I am seeing, there is a difference)<\/p>\n<p style=\"padding-left: 30px\">&gt; sudo binwalk ~\/Desktop\/giyh-firmware-dump.bin<br \/>\n&gt; dd if=giyh-firmware-dump.bin of=filesys.squash skip=168803 bs=1<br \/>\n&gt; sudo binwalk ~\/Desktop\/filesystem.squash<\/p>\n<p>&#8211; Running the Binwalk utility gave me the processor type<\/p>\n<p style=\"padding-left: 30px\">&gt; ELF, 32-bit LSB shared object, ARM, version 1 (SYSV)<br \/>\n&gt; This was also verified by using &#8220;binwalk -A&#8221; (-A used for common opcode signatures) as it returned nothing but pointers for &#8220;ARM instrutions, function prologue&#8221;<\/p>\n<p>&#8211; Managed to get the filesystem (SquashFS) extracted using the squashfs-tools<\/p>\n<p style=\"padding-left: 30px\">&gt; unsquashfs &#8211; Both of the above commands (unsquashfs and dd) extract an image from the BIN file, with some differences between them (just not sure what)<\/p>\n<div id=\"attachment_310\" style=\"width: 822px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Screen-Shot-2015-12-28-at-11.15.05-AM.png\" rel=\"attachment wp-att-310\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-310\" class=\"size-full wp-image-310\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Screen-Shot-2015-12-28-at-11.15.05-AM.png\" alt=\"Differences in folders - One on my SIFT system extracted via DD and the other from my Windows VM using 7Zip\" width=\"812\" height=\"483\" style=\"padding:1px;border:thin solid black\" \/><\/a><p id=\"caption-attachment-310\" class=\"wp-caption-text\">Differences in folders &#8211; One on my SIFT system extracted via DD and the other from my Windows VM using 7Zip<\/p><\/div>\n<p>&#8211; Saw a service for MongoDB so most likely MongoDB is supporting the web framework<\/p>\n<p style=\"padding-left: 30px\">&gt; In the \/etc folder there is a mongod.conf file that points to the DB path (\/opt\/mongodb)<br \/>\n&gt; Googled for what files would be in a Mongo DB instance, noticed that there was the gnome.0 and gnome.ns<br \/>\n&gt; Ran strings on the gnome.0 file and could see the username\/password combo there<\/p>\n<p>&#8211; Only users on this system:<\/p>\n<p style=\"padding-left: 30px\">&gt; root:x:0:0:root:\/root:\/bin\/ash<br \/>\n&gt; daemon:*:1:1:daemon:\/var:\/bin\/false<br \/>\n&gt; ftp:*:55:55:ftp:\/home\/ftp:\/bin\/false<br \/>\n&gt; network:*:101:101:network:\/var:\/bin\/false<br \/>\n&gt; nobody:*:65534:65534:nobody:\/var:\/bin\/false<\/p>\n<p>&#8211; In the \/etc \/init.d folder could also see a nodejs file<\/p>\n<p style=\"padding-left: 30px\">&gt; This is most likely the web framework<\/p>\n<p>***Update: Figured out the difference between the images. The one that was extracted using &#8216;unsquashfs&#8217; seems to be missing files versus the other two that I did using dd and 7Zip as you can see below (dd image on the left and unsquashfs on the right):<br \/>\n<div id=\"attachment_319\" style=\"width: 1045px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Screen-Shot-2015-12-28-at-2.06.33-PM.png\" rel=\"attachment wp-att-319\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-319\" src=\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Screen-Shot-2015-12-28-at-2.06.33-PM.png\" alt=\"Difference between the filesystems\" width=\"1035\" height=\"860\" class=\"size-full wp-image-319\" style=\"padding:1px;border:thin solid black\" \/><\/a><p id=\"caption-attachment-319\" class=\"wp-caption-text\">Difference between the filesystems<\/p><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So continuing from my original post about the SANS 2015 Hack Challenge, here is my quick write up about exercise two. Exercise 2 ========== &gt; What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in? &#8211; System &#8211; DISTRIB_ID=&#8217;OpenWrt&#8217; &#8211; DISTRIB_RELEASE=&#8217;Bleeding Edge&#8217; &#8211; DISTRIB_REVISION=&#8217;r47650&#8242; &#8211; DISTRIB_CODENAME=&#8217;designated_driver&#8217; &#8211; DISTRIB_TARGET=&#8217;realview\/generic&#8217; &#8211; DISTRIB_DESCRIPTION=&#8217;OpenWrt Designated Driver r47650&#8242; &#8211; DISTRIB_TAINTS=&#8221; &#8211; CPU:\u00a0ARM version 1 (SYSV) &#8211; Gnome web framework:\u00a0Looks to be node.js &gt; What kind of a database engine is used to support the Gnome web interface? What is the plaintext password&#8230;<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/www.herbiez.com\/?p=309\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-309","post","type-post","status-publish","format-standard","hentry","category-challenges"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=309"}],"version-history":[{"count":8,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/309\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}