Skip to main content

Reverse Engineering a Router Firmware

I have an old TP Link Router and I thought if its possible to reverse the firmware and see if there are anything interesting or not. I grabbed the firware from the website and downloaded it locally

root@vultr:~/tplink_rev# wget https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip
--2018-09-19 16:46:26--  https://static.tp-link.com/resources/software/TL-WR740N_v1v2_100910.zip
Resolving static.tp-link.com (static.tp-link.com)... 23.67.166.40
Connecting to static.tp-link.com (static.tp-link.com)|23.67.166.40|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2902988 (2.8M) [application/x-zip-compressed]
Saving to: ‘TL-WR740N_v1v2_100910.zip’
TL-WR740N_v1v2_100910.zip                 100%[=====================================================================================>]   2.77M  --.-KB/s    in 0.01s
2018-09-19 16:46:26 (220 MB/s) - ‘TL-WR740N_v1v2_100910.zip’ saved [2902988/2902988]


Uncompressing the zip file we get a PDF file and a .bin file

root@vultr:~/tplink_rev# unzip TL-WR740N_v1v2_100910.zip
Archive:  TL-WR740N_v1v2_100910.zip
  inflating: wr740nv1_en_3_12_4_up(100910).bin
  inflating: Router Upgrade Help.doc
Using file command on it revealed the type :

root@vultr:~/tplink_rev# file wr740nv1_en_3_12_4_up\(100910\).bin
wr740nv1_en_3_12_4_up(100910).bin: data
Using strings command I tried to find some hardcoded ascii data, the -13 parameter is set so that I can see words containing more than 13 character. I choose this number by trial and error method because it revealed something interesting.

root@vultr:~/tplink_rev# strings -13 wr740nv1_en_3_12_4_up\(100910\).bin
TP-LINK Technologies
l]1[jY o)*B*jq
POa)D8gDbPwa%

Next I issued the binwalk utility to find some information about the binary

root@vultr:~/tplink_rev# binwalk wr740nv1_en_3_12_4_up\(100910\).bin
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TP-Link firmware header, firmware version: 0.0.0, image version: "", product ID: 0x0, product version: 121634817, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 3932160, kernel length: 512, rootfs offset: 818284, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0
512           0x200           gzip compressed data, has original file name: "vmlinux.bin", from Unix, last modified: 2010-09-03 04:31:13
1048576       0x100000        Squashfs filesystem, big endian, lzma signature, version 3.1, size: 2059306 bytes, 431 inodes, blocksize: 65536 bytes, created: 2010-09-13 03:29:45
 Few notable things we can find are
1. The firmware manufacturer
2. The kernel load address for booting process
3. The filesystem

Now we can try to extract the contents from the binary.

root@vultr:~/tplink_rev# binwalk -e wr740nv1_en_3_12_4_up\(100910\).bin
 root@vultr:~/tplink_rev# ls
 ]  'Router Upgrade Help.doc'   TL-WR740N_v1v2_100910.zip  'wr740nv1_en_3_12_4_up(100910).bin'  '_wr740nv1_en_3_12_4_up(100910).bin.extracted'

We can see binwalk successfully extracted the contents for us

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# ls
100000.squashfs  squashfs-root  vmlinux.bin
 So looking into squashfs-root we get the entire file systems

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted/squashfs-root# ls
bin  dev  etc  lib  linuxrc  mnt  proc  root  sbin  tmp  usr  var  web

Now we can find interesting things inside the file systems

root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# grep -rnw squashfs-root/ -e 'root'
squashfs-root/etc/passwd:1:root:x:0:0:root:/root:/bin/sh
squashfs-root/etc/passwd:2:Admin:x:0:0:root:/root:/bin/sh
squashfs-root/etc/passwd:13:ap71:x:500:0:Linux User,,,:/root:/bin/sh
squashfs-root/etc/shadow:1:root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::

squashfs-root/etc/group:1:root:x:0:
Binary file squashfs-root/bin/busybox matches
Binary file squashfs-root/sbin/iptables matches
Binary file squashfs-root/sbin/hostapd matches
Binary file squashfs-root/sbin/tc matches
Binary file squashfs-root/lib/libwpa_common.so matches
Binary file squashfs-root/usr/bin/httpd matches
Binary file squashfs-root/usr/sbin/pppd matches
root@vultr:~/tplink_rev/_wr740nv1_en_3_12_4_up(100910).bin.extracted# strings  squashfs-root/usr/bin/httpd | grep "root"
web_server_set_root_dir
root-servers
tc qdisc add dev %s root handle %d: htb default %s
tc qdisc del dev %s root
%s::upnp:rootdevice
Error specifying webserver root directory -- %s: %d
Error registering the rootdevice : %d
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

<root xmlns="urn:schemas-upnp-org:device-1-0">
I tried with John the Ripper to decrypt the unshadowed password , but not much successfull with root and admin account ( 5 mins of try only )

root@vultr:~/tplink_rev# unshadow  _wr740nv1_en_3_12_4_up\(100910\).bin.extracted/squashfs-root/etc/passwd _wr740nv1_en_3_12_4_up\(100910\).bin.extracted/squashfs-root/etc/shadow  > password

root@vultr:~/tplink_rev# john --show password
bin:NO PASSWORD:1:1:bin:/bin:/bin/sh
daemon:NO PASSWORD:2:2:daemon:/usr/sbin:/bin/sh
adm:NO PASSWORD:3:4:adm:/adm:/bin/sh
nobody:NO PASSWORD:65534:65534:nobody:/home:/bin/sh
ap71:NO PASSWORD:500:0:Linux User,,,:/root:/bin/sh
5 password hashes cracked, 2 left



Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br