Hack The Box: Intro to Hardware Hacking

Debugging Interface

This challenge comes with a zip-file. Unzipping it, we find a file called debugging_interface_signal.sal. sal is an ending for a datafile. Running file on it returns:

$ file debugging_interface_signal.sal
debugging_interface_signal.sal: Zip archive data, at least v2.0 to extract, compression method=deflate

Further unzipping it reveals a file called digital-0.bin and meta.json. The metadata reveals variables such as viewport, scaleperpixel, channel etc. The binary file has the string “” in its header:

$ xxd digital-0.bin| head
00000000: 3c53 414c 4541 453e 0100 0000 6400 0000  <SALEAE>....d...
00000010: 0100 0000 0084 d787 414b 80f6 5e78 0100  ........AK..^x..
00000020: 0066 6666 6666 66e6 3f00 003a 0000 0000  .ffffff.?..:....

It seems the sal-file has been exported by Saleae Logic 2 software, which is a software for displaying and analyzing signals. I downloaded the demo version of saleae and opened the .sal file:

chall hardware

Within Saleae, you can run static analyzers (“async serial”) but in order to get valid results, you need to set the bit rate of the input data correctly. After some research, I read that the bit rate can be estimated by the ““Baud rate estimation” plugin, which gave the following result:

chall hardware

On the lower left side, there is f_baud with 31.23 kHz, e.g. 31230 bit/s. After setting this in the analyzer, we get some readable format:

chall hardware

The full text is: “\n[MSG] Activity from: 65ec312325f43f40107dfcba651cab2d1afb6df54578065f1d8bba89801d3ef2\r\n[MSG] Activity from: ebb2b5d1dfbbb8174f5fb1fd15230540aea77772d3a65482def3d978f6caf152\r\n[MSG] Activity from: f7fab4b591754a190be32cb607f257f436fa3f325d71edf41b6179c5330cd75a\r\n[MSG] Activity from: 476bdcaf166385371f49c54ba74d275cfdfa5c70c255ea45363e3795cbc11ae5\r\n[MSG] Activity from: 63681fa3c03451c49f9fc2ab9be43b…” and in the end of the dump, we find the flag.

The Needle

In this task, we get a firmware binary called firmware.bin. Some file info:

$ file firmware.bin
firmware.bin: Linux kernel ARM boot executable zImage (big-endian)

I extracted the strings and checked them, but didn’t find anything helpful. Also I converted the file to a ELF with extract-vmlinux and looked through it with Ghidra, but that was not helpful either. In the end I found the hint that filesystems can be extracted with help of binwalk:

$ binwalk -e firmware.bin

Note: I had to uninstall p7zip because otherwise the whole file structure got messed up…

From this point, it’s rather easy. The /etc folder contains a folder script with a script telnetd.sh:

sign=`cat /etc/config/sign`
TELNETD=`rgdb -g /sys/telnetd`
if [ "$TELNETD" = "true" ]; then
        echo "Start telnetd ..." > /dev/console
        if [ -f "/usr/sbin/login" ]; then
                lf=`rgbd -i -g /runtime/layout/lanif`
                telnetd -l "/usr/sbin/login" -u Device_Admin:$sign      -i $lf &
                telnetd &

From this we can see that there is a user Device_Admin and a password $sign, where sign = cat /etc/config/sign. And with this, we can log in via the given telnet connection and get the flag.