Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Download the target firmware
  • Extracting rootfs
  • User emulation
  • Full emulation
  • Mount shares

Was this helpful?

  1. IoT / Reverse / Firmware
  2. Reverse IoT devices

Reverse LinkOne devices

PreviousReverse ASUS RT-AC5300NextTools

Last updated 3 years ago

Was this helpful?

Download the target firmware

For this laboratory, I downloaded this one: L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin

Extracting rootfs

binwalk -Me L1-RWH1235AC-V1.2.0.22_pt_UCB01.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
64            0x40            TRX firmware header, little endian, image size: 7020544 bytes, CRC32: 0x88D7ED84, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x1753B0, rootfs offset: 0x0
92            0x5C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4385244 bytes
1528816       0x1753F0        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 5486271 bytes, 591 inodes, blocksize: 65536 bytes, created: 2015-03-18 03:43:45
7020640       0x6B2060        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 1398834 bytes

You can try to use also this version of squashfs if you got some error like this: Can't find a SQUASHFS superblock on file.squashfs. This is a modified version:

gcc version 10 will result in some erros. So, install other version such as 9.x.

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-9 100

After that, try to get the fs:

sudo sasquatch -d rootfs 1753F0.squashfs

User emulation

cp /bin/qemu-mipsel-static .
sudo chroot . ./qemu-mipsel-static /bin/sh 
wget https://github.com/firmadyne/libnvram/releases/download/v1.0/libnvram.so.mipsel
(... nvram ...)
export LD_PRELOAD=/firmadyne/libnvram.so
httpd

After execute the web-server, or the /etc/init.d/rcS, you will get the loop:

At this point, you can use GDB server to debug it:

Adding a breakpoint on main, and next, you will see the process will enter in a loop inside the "check_network" call.

Using IDA PRO, you can also reverse the httpd file and the check_network call. Basically, our iface must be renamed to br0 and use the range 192.168.0.0/24.

sudo tunctl -t br0 -u `whoami`
sudo ifconfig br0 192.168.0.0/24
sudo ifconfig br0 up
httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80

Full emulation

wget https://people.debian.org/~aurel32/qemu/mipsel/debian_squeeze_mipsel_standard.qcow2
wget https://people.debian.org/~aurel32/qemu/mipsel/vmlinux-2.6.32-5-4kc-malta
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"
qemu-system-mipsel -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0"  -net nic -net user,hostfwd=tcp::7777-:22 

this is the key:
-net nic -net tap,ifname=br0,script=no,downscript=no -nographic 

scp -P 7777 rootfs.tar.gz root@127.0.0.1:/root
ssh -p 7777 root@127.0.0.1

Mount shares

mount -t proc /proc ./roofs/proc
mount -o bind /dev ./rootfs/dev
chroot ./roofs/ sh

A trick for this router, you can also change the name of the iface: eth0 to br0.

nano /etc/udev/rules.d/70-persistent-net.rule

To rename interface eth0 to wan0, edit /etc/udev/rules.d/70-persistent-net.rules file and change NAME="eth0" to NAME="br0".

# PCI device 0x11ab:0x4363 (sky2)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*",
ATTR{address}=="00:00:00:00:00:00",ATTR{dev_id}=="0x0", ATTR{type}=="1",
KERNEL=="eth*", NAME="br0"

After that, rename eth0 to br0 here:

 nano /etc/network/interfaces
reboot
ifconfig -a

On the qemu ssh shell, access the rcS script at: /etc/init.d/rcS, and change the line:

httpd &

by

httpd --debugger --verbose --home /webroot/ --auth /var/auth.txt --route /var/route.txt 127.0.0.1 80 &

On your browser: 0.0.0.0/login/Auth

After that, add it as the principal version when you use make.

and .. check some data ...

You got it

After that, execute your file ./rcS and magic

😎
😎
🤓
😎
LogoHomeLink1One
LogoGitHub - devttys0/sasquatchGitHub
LogoBasic tipsRed Teaming and Malware Analysis
Index of /~aurel32/qemu/mipsel
LogoChange Network Interface Name: eth0,eth1,eth2+ - ShellHacksShellHacks
LogoNetgear_栈溢出漏洞_PSV-2020-0211混元霹雳手