Objective
Table of contents
Objective
Summary
Character conversation
Hints
Getting into it
Getting into it table of contents
Deconstruct printer firmware
Generate payload
Encode, compress and re-package payload into firmware
Run hash extender and append new signatures
Upload and execute
Conversation
Hints
Summary
In this challenge we are tasked with exploiting a printer. The way in which we do this is through the printer firmware. We essentially download the existing printer firmware, decode and re-package the firmware with an additional file that of course has malicious code. When it comes to re-packaging our driver we have an issue where a cheksum is performed to ensure the data has not been tampered with. The way we bypass this is via a hash extension attack. This allows us to create a valid checksum result via the signature.
Workflow
Firmware analyses
Download printer firmware-export.json
Parse and decode base64 to firmware.zip
Extract firmware.zip to firmware.bin
Analyze dummy firmware.bin
Malicious firmware generation
Create /bin/sh to copy flag to out file copy.bin
Compress copy.bin into firmware.zip
Hash extension attack
Use hash_exention_script to generate hex data and signature
Convert data from hex to base64
Repackage malicious firmware
Paste converted base64 data into a new firmware-export.json
Append signature provided from hash extension
Upload firmware and browse to out location
Getting into it
Firmware analyses
1. Download printer firmware-export.json
We simply download the printer firmware which is provided in a .json format.
2. Parse and decode base64 to firmware.zip
Looking at the data we can see we have the signature and the data which is encoded in base64.
We add the data to Cyber Chef to decode and we can see it is a .bin file, so we save this out put to our pc.
3. Extract firmware.zip to firmware.bin
Unzip the download.dat to receive firmware.bin
4. Analyze dummy firmware.bin in Ghidra
Literally nothing to see here
Malicious firmware generation
1.Create /bin/sh to copy flag to out file copy.bin
2.Compress copy.bin into firmware.zip
Hash extension attack
1. Use hash_exention_script to generate hex data and signature
./hash_extender/hash_extender --file original/download.zip -f sha256 -l 16 -s c7075a308d5261ec1eafbe6a55c8b75f2f1a83bd668ba26f8a1953c6ed641111 --append-file attack/firmware.zip
2. Convert data from hex to base64
We use cyber chef for this:
From Hex
To Base64
Repackage malicious firmware
Paste converted base64 data into a new firmware-export.json
Append signature provided from hash extension
Upload firmware and browse to out location
Comments