0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page

Was this helpful?

  1. Hardware

Firmware

Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things.

Filesystem Manipulation

$ binwalk -e flashdump.bin
..
1466652    0x16611c    Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ cd _flashdump.bin.extracted/squashfs-root

## Change uid of users in ./etc/passwd
## Change password hash of users in ./etc/shadow
## Change ./etc/inittab to modify what command is run when the system is powered on
## Change scripts in ./etc/init.d/
## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section)
## Preserve user permissions of squashfs-root by using unsquashfs 
$ binwalk -e flashdump.bin
$ cd _flashdump.bin.extracted
$ rm squashfs-root
$ sudo unsquashfs 16611c.squashfs
Parallel unsquashfs: Using 4 processors
..
created 468 files
created 61 directories
created 184 symlinks
created 1 devices
created 0 fifos

Pack it all back together:

$ sudo apt install squashfstools

## compression (xz) and blocksize (262144) is told to us when extracting with binwalk
$ mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144

## Copy original dump, find offset build file with dd
$ cp flashdump.bin mod.bin
$ binwalk mod.bin
DECIMAL    HEXADECIMAL    DESCRIPTION
--------------------------------------------------------------------------------
...
1466652    0x16611C       Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ dd if=myfs of=mod.bin bs=1 seek=1466652 conv=notrunc
1937464+0 records in
1937464+0 records out
1937464 bytes /1.9 MB, 1.8 MiB) copied, 10.7821 s, 180 kB/s

Image mod.bin is now ready to be flashed back to the target system.

Last updated 1 year ago

Was this helpful?