Task 25-Firmware | Binwalkin’ around the Christmas tree-Advent of Cyber 2022 [Day 20]-Answers Write-up and Walkthrough

What is Firmware Reverse Engineering?

Every embedded system, such as cameras, routers, smart watches etc., has pre-installed firmware, which has its own set of instructions running on the hardware’s processor.

It enables the hardware to communicate with other software running on the device. The firmware provides low-level control for the designer/developer to make changes at the root level.

Firmware Reversing Steps

• The firmware is first obtained from the vendor’s website or extracted from the device to perform the analysis.
• The obtained/extracted firmware, usually a binary file, is first analyzed to figure out its type (bare metal or OS based).
• It is verified that the firmware is either encrypted or packed. The encrypted firmware is more challenging to analyze as it usually needs a tricky workaround, such as reversing the previous non-encrypted releases of the firmware or performing hardware attacks like Side Channel Attacks (SCA) to fetch the encryption keys.
• Once the encrypted firmware is decrypted, different techniques and tools are used to perform reverse engineering based on type.

BinWalk: A firmware extraction tool that extracts code snippets inside any binary by searching for signatures against many standard binary file formats like zip, tar, exe, ELF, etc.

Binwalk has a database of binary header signatures against which the signature match is performed.

The common objective of using this tool is to extract a file system like Squashfs, yaffs2, Cramfs, ext*fs, jffs2, etc., which is embedded in the firmware binary. The file system has all the application code that will be running on the device.

Open the Machine’s Split View

1. What is the flag value after reversing the file firmwarev2.2-encrypted.gpg?

cd bin
binwalk -E -N firmwarev2.2-encrypted.gpg 

cd ..
cd bin-unsigned/
extract-firmware.sh firmwarev1.0-unsigned

Password: Santa1010

grep -ir paraphrase
cat fmk/rootfs/gpg/secret.txt

Paraphrase : Santa@2022

gpg — import fmk/rootfs/gpg/private.key

Type the Paraphrase that we Found

gpg --import fmk/rootfs/gpg/public.key 
gpg --list-secret-keys

Once the keys are imported, McSkidy decrypts the firmware using the gpg command. Again change the directory by entering the command cd .. and then cd bin

cd ..
cd bin
gpg firmwarev2.2-encrypted.gpg
cat ~/bin/fmk/rootfs/flag.txt 

Ans: THM{WE_GOT_THE_FIRMWARE_CODE}

2. What is the Paraphrase value for the binary firmwarev1.0_unsigned?

Ans: Santa@2022

3. After reversing the encrypted firmware, can you find the build number for rootfs?

Use the Command below to find the Firmware of rootfs

Make Sure, you are in the rootfs Directory

ls -lah * | grep rootfs

Ans: 2.6.31

Thank you for Reading!!

Happy Hacking ~

THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 20, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 20Answers