Introduction

Create a tarball that penguin can consume using fw2tar.

You can find your firmware in /challenge.

After you've created the tarball, you can find the solution by extracting the tarball to a temporary directory mkdir tmp; cd tmp; tar -xvf ../[tarfile].tar.

The solution for this challenge is the string in the /etc/hostname file. Remember to feed your solution to the flag checker at /challenge/solve.

Note: You'll probably want to keep the .rootfs.tar.gz file around for the next step if you don't want to recreate it.

The firmware we extracted in the last challenge will rehost readily in penguin without any custom interventions. Use penguin init to create a rehosting from the .rootfs.tar.gz file you created in the previous step. Then use penguin run to run the rehosting.

If you need to recreate the rootfs, you can use fw2tar again on the original firmware image, which is available again in /challenge.

Use penguin init and penguin run to start the device. Log in to the web server interface using a web browser pwn.college desktop (look for connection information in the penguin run output). The solution for /challenge/solve is the third item down under "Advanced" on the left hand menu (all lowercase) after logging into the web server.

E.g., the left menu will look like this

> Basic
v Advanced
    >> Item 1
    >> Item 2
    >> Solution

Note: you'll have to figure out the login username and password as well!

The rest of the challenges in this module will use the same firmware, so you may wish to copy the project directory to your homedir to avoid running penguin init

• However, it is recommended you don't penguin run out of your homedir, so copying to /tmp before running

Now we're going to move on to some basic dynamic analyses. The first analysis we'll look at is the system console. Many dynamic analysis artifacts are generated in the FIRMWARENAME/results/X directory where X is the run number of the rehosting. I.e., each execution of penguin run will increment that number. For convenience, the most recent run id has a symlink results/latest.

Despite not usually having an easily accessible interface to the system console in the final productized version, Linux embedded systems will still output a lot of useful information to that console. By default, penguin will redirect system console output to the file results/latest/console.log

In this challenge, we'll be looking at the OpenIPC firmware. We've provided a rootfs.tar.gz, so you'll need to do penguin init before penguin run.

Run the firmware for more than 30 seconds and then look at results/latest/console.log. Look for error messages and observe the system's startup behavior.

The solution for /challenge/solve is the path to the config file that cannot be parsed and is causing the system to throw an Exec format error.

Notes:

1. We will be working on this firmware for the rest of the exercises in this module, feel free to hang on to the penguin project dir.
2. If you want to have the console output to stdout, you can change show_output: true

Instead of looking at output from dynamic execution, let's start interacting with the system. As part of the firmware rehosting process, penguin adds a busybox and starts a dedicated shell with root permissions. That shell can then be used to troubleshoot your rehosting or analyze the system.

When you perform penguin run on the system you'll see a message like:

15:38:16 plugins.core INFO Root shell enabled. Connect with docker exec -it [your_container_name] telnet localhost 2023

embedded in the console output.

In that case, we can connect to the root shell with telnet localhost 2023 (in a separate window).

Once the system as booted (wait up to about a minute or so), you can get the key by providing the runtime string used as the -x argument for udhcpc.

e.g., in the process listing you'll see something like:

udhcpc -x SOLUTION -A 0 -T 1 -t 5 -R -b

and you'll want to provide whatever text is in the place where SOLUTION is to /challenge/solve.

Remember: you can exit the telnet window with Ctrl+]!

Notes:

• The reason for the Connect with docker exec -it [your_container_name] message is that we are actually running challenges inside the penguin docker container. When using the tools separately from pwn.college, you would usually interact with penguin from outside its container.
• We provide the firmware rootfs.tar.gz again, but feel free to use your project from last time