Best Router – Forensic – CSAW17

Best Router – Forensic – CSAW17

For this challenge we have an archive containing a large img file which is a dump of an sd card from a Rasperry Pi. so after extracting it and mounting it we are able to navigate through the files. Nothing in home directory, /etc folder told us that’s there is an apache server on this Pi so we go to /var/www and there are some interesting files :

flag.txt is empty but we got credentials (admin:iforgotaboutthemathtest) to log into the login.pl. A quick look to the login.pl :

#!/usr/bin/perl

if ($ENV{'REQUEST_METHOD'} eq "POST") {
    read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    @pairs = split(/&/, $buffer);
    foreach $pair (@pairs) {
        ($name, $value) = split(/=/, $pair);
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $FORM{$name} = $value;
    }
}

open(FH,"username.txt") or &dienice("Can't open username.txt: $!");
$username = ;
close(FH);

open(FH,"password.txt") or &dienice("Can't open password.txt: $!");
$password = ;
close(FH);

open(FH,"flag.txt") or &dienice("Can't open flag.txt: $!");
$flag = ;
close(FH);

print "Content-type:text/html\r\n\r\n";

if ($FORM{"username"} ne $username && $FORM{"password"} ne $password){
    print "";
    print "";
    print "[ BEST ROUTER ]";
    print "";
    print "";
    print "

Sorry, your credentials are wrong

 

";
    print "";
    print "";
    exit 0;
} else {
    print "";
    print "";
    print "[ BEST ROUTER ]";
    print "";
    print "";
    print "

Authenticated

“;
print ”

$flag

“;
print ”

"; print "";
 }

 

So we go the online version at http://forensics.chal.csaw.io:3287/ and log in.


flag{but_I_f0rgot_my_my_math_test_and_pants}

Leave a Reply

Your email address will not be published. Required fields are marked *