• Donald Ashdown

SANS KringleCon Challenge 7

Objective

Table of contents

  • Objective

  • Summary

  • Character conversation

  • Hints

  • Getting into it

Getting into it table of contents

  • Deconstruct printer firmware

  • Generate payload

  • Encode, compress and re-package payload into firmware

  • Run hash extender and append new signatures

  • Upload and execute


Conversation



Hints
Summary

In this challenge we are tasked with exploiting a printer. The way in which we do this is through the printer firmware. We essentially download the existing printer firmware, decode and re-package the firmware with an additional file that of course has malicious code. When it comes to re-packaging our driver we have an issue where a cheksum is performed to ensure the data has not been tampered with. The way we bypass this is via a hash extension attack. This allows us to create a valid checksum result via the signature.


Workflow

Firmware analyses

  1. Download printer firmware-export.json

  2. Parse and decode base64 to firmware.zip

  3. Extract firmware.zip to firmware.bin

  4. Analyze dummy firmware.bin


Malicious firmware generation

  1. Create /bin/sh to copy flag to out file copy.bin

  2. Compress copy.bin into firmware.zip


Hash extension attack

  1. Use hash_exention_script to generate hex data and signature

  2. Convert data from hex to base64


Repackage malicious firmware

  1. Paste converted base64 data into a new firmware-export.json

  2. Append signature provided from hash extension

  3. Upload firmware and browse to out location


Getting into it

Firmware analyses

1. Download printer firmware-export.json

We simply download the printer firmware which is provided in a .json format.



2. Parse and decode base64 to firmware.zip

Looking at the data we can see we have the signature and the data which is encoded in base64.


We add the data to Cyber Chef to decode and we can see it is a .bin file, so we save this out put to our pc.


3. Extract firmware.zip to firmware.bin

Unzip the download.dat to receive firmware.bin


4. Analyze dummy firmware.bin in Ghidra

Literally nothing to see here


Malicious firmware generation

1.Create /bin/sh to copy flag to out file copy.bin



2.Compress copy.bin into firmware.zip



Hash extension attack

1. Use hash_exention_script to generate hex data and signature

./hash_extender/hash_extender --file original/download.zip -f sha256 -l 16 -s c7075a308d5261ec1eafbe6a55c8b75f2f1a83bd668ba26f8a1953c6ed641111 --append-file attack/firmware.zip

2. Convert data from hex to base64

We use cyber chef for this:

From Hex

To Base64


Repackage malicious firmware
  1. Paste converted base64 data into a new firmware-export.json

  2. Append signature provided from hash extension

  3. Upload firmware and browse to out location









7 views0 comments