The Needle

Write Up

file firmware.bin returns:

firmware.bin: Linux kernel ARM boot executable zImage (big-endian)

While searching the internet for this kind of file, I found that there’s a nifty little tool called binwalk specifically designed to extract the Linux file system from these files.

Pretty easy to use, too! binwalk --extract ./firmware.bin

I spun up the challenge instance and connected to the port that it specified using netcat nc <ip> <port> This showed me that it was running some sort of login server, unencrypted. Likely telnet. This opens up a tonne of options to search for, such as “login”, “telnet”, and the normal passwd files.

I decided to run a search for the term “login”. I found the following:

cd _firmware.bin.extracted && grep -rn "./" -e "login"
./		telnetd -l "/usr/sbin/login" -u Device_Admin:$sign	-i $lf &

Woah, it really can’t be that easy right? This defines a user for login in telnet. Specifically it defines a user “Device_Admin”, with a password in a file called “sign”. So I did the thing to find a file with a certain name.

find ./ -name sign

This returned exactly two results.


They both contain the same text (I think something failed during the binwalk, but who knows?). Time to go back to the firmware instance. This time I used telnet.

telnet <ip> <port>

I supplied user “Device_Admin” and the password from the sign file. Immediately met with a user prompt, I was given the opportunity to cat flag.txt and got the flag.