Silicon Data Sleuthing — HackTheBox

Description

In the dust and sand surrounding the vault, you unearth a rusty PCB... You try to read the etched print, it says Open..W...RT, a router! You hand it over to the hardware gurus and to their surprise the ROM Chip is intact! They manage to read the data off the tarnished silicon and they give you back a firmware image. It's now your job to examine the firmware and maybe recover some useful information that will be important for unlocking and bypassing some of the vault's countermeasures!

The challenge provided a firmware dump file (chal_router_dump.bin, 16MB) and a netcat service that asked questions about the firmware contents.

Analysis

OpenWRT firmware typically consists of multiple partitions:

1. Bootloader - U-Boot or similar
2. Kernel - Linux kernel image
3. SquashFS - Read-only root filesystem (base system)
4. JFFS2 - Writable overlay filesystem (user configurations)

The key insight is that sensitive data (passwords, credentials, custom configs) are stored in the JFFS2 overlay, not the base SquashFS. This is because SquashFS is read-only and contains only default configurations.

Filesystem Signatures

Filesystem	Magic Bytes	Hex
SquashFS	hsqs	68 73 71 73
JFFS2	\x85\x19	85 19

Solution

Step 1: Locate and Extract SquashFS

# Find SquashFS signature
xxd chal_router_dump.bin | grep -i "hsqs"
# Found at offset 0x42c2c8 (4375240 decimal)

# Extract SquashFS partition
dd if=chal_router_dump.bin of=squashfs.bin bs=1 skip=4375240

# Mount/extract the filesystem
unsquashfs -d rootfs squashfs.bin

From SquashFS we get:

• /etc/openwrt_release → OpenWRT version: 23.05.0

Step 2: Locate and Extract JFFS2

# Find JFFS2 magic bytes (0x1985 little-endian = 0x8519)
xxd chal_router_dump.bin | grep "8519"
# Found at offset 0x7c0000

...