forensicsfreeeasy

Modem Metamorphosis

DawgCTF SP26

Task: analyze a PCAP containing a router web administration session and firmware upgrade. Solution: extract HTTP objects, recover the router UI pages and multipart upload, then combine the old Linksys WRT610N v1 firmware version with the uploaded OpenWrt image name.

$ ls tags/ techniques/

pcap http openwrt basic_auth router_firmware linksys multipart_upload

http_object_extractionpcap_triagebasic_auth_decodingfirmware_upload_analysis

Modem Metamorphosis — DawgCTF SP26

Description

Provided artifact: morph.pcap

Flag format: DawgCTF{Manufacturer_Model_OldFirmwareVersion_NewFirmwareName_NewFirmwareVersion}

English summary: the challenge gives a packet capture of a router administration session. The goal is to identify the device, determine the old firmware version, recover the uploaded replacement firmware, and assemble the flag fields in the required order.

Analysis

Step 1: Initial PCAP triage

The first step was to confirm what protocols were present:

tshark -r morph.pcap -q -z io,phs

Relevant result:

http             frames:250 bytes:67977
mime_multipart   frames:1 bytes:375

That immediately suggests a web-based workflow, and the single mime_multipart entry is a strong hint that a file upload happened inside HTTP.

Step 2: Identify router admin traffic

Listing HTTP requests showed a browser talking directly to 192.168.1.1 and visiting typical embedded router pages such as /Wireless_Basic.asp, /Management.asp, and /Upgrade.asp.

tshark -r morph.pcap -Y "http.request" -T fields \
  -e frame.number -e http.request.method -e http.host -e http.request.uri

Important requests included:

2748  GET   192.168.1.1  /Management.asp
3291  GET   192.168.1.1  /Upgrade.asp
13300 POST  192.168.1.1  /upgrade.cgi

The capture also contains repeated Basic Authentication headers:

tshark -r morph.pcap -Y "http.authorization" -T fields \
  -e frame.number -e ip.src -e ip.dst -e http.authorization

Example output:

69  192.168.1.101  192.168.1.1  Basic OmFkbWlu

Decoding the Base64 portion confirms the credentials:

python3 - <<'PY'
import base64
print(base64.b64decode('OmFkbWlu').decode())
PY

Output:

:admin

The observed header decodes to :admin, showing that the capture uses the default admin password during HTTP Basic Auth. That was enough to explain why the browser could access the router interface in the capture.

Step 3: Extract HTTP objects from the PCAP

To inspect the router web interface offline, I exported all HTTP objects:

mkdir http_objects
tshark -r morph.pcap --export-objects http,http_objects

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]