# niteCTF 2024 - und3rC0VEr **Title:** und3rC0VEr **Description:** Our company's entire network was hacked by a rogue group which we suspect was paid by our competitor. Our forensics team found the router through which the hacker gained access. Help us find the admin password of this compromised router. Wrap the password in the flag format: `nite{}` **Files:** [ README.md, imgs, router-disk1.vmdk, router-file1.iso, router.mf and router.ovf](https://drive.proton.me/urls/HGH4QV8TM8#Rct6SuMO1bEM) ## Solution: First, I started with examining the file types to get a better understanding of what we're working on. ``` $ file router-disk1.vmdk router-disk1.vmdk: VMware4 disk image ``` This was a VMware virtual disk, likely containing the router's operating system and configuration files. Now, the approach I wanted to try first was to try accessing the disk contents, for which I used QEMU's Network Block Device (NBD) server: ``` # Load the NBD kernel module $ sudo modprobe nbd max_part=8 # Connect the VMDK as a network block device $ sudo qemu-nbd --connect=/dev/nbd0 router-disk1.vmdk Disk /dev/nbd0: 8 GiB, 8589934592 bytes, 16777216 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xf7f52f51 Device Boot Start End Sectors Size Id Type /dev/nbd0p1 2048 4095 2048 1M 83 Linux /dev/nbd0p2 4096 73727 69632 34M 83 Linux /dev/nbd0p3 73728 143359 69632 34M 83 Linux /dev/nbd0p4 143360 16777215 16633856 7.9G f W95 Ext'd (LBA) /dev/nbd0p5 145408 4339711 4194304 2G 83 Linux /dev/nbd0p6 4341760 4351999 10240 5M 83 Linux /dev/nbd0p7 4354048 4364287 10240 5M 83 Linux /dev/nbd0p8 4366336 4376575 10240 5M 83 Linux /dev/nbd0p9 4378624 4388863 10240 5M 83 Linux /dev/nbd0p10 4390912 4399103 8192 4M 83 Linux /dev/nbd0p11 4401152 16777215 12376064 5.9G 83 Linux # Examine partition layout $ sudo fdisk -l /dev/nbd0 ``` Rather than immediately mounting partitions, I first first tried raw data analysis: ``` $ sudo strings /dev/nbd0 | grep -i password <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> <Property oe:key="com.cisco.csr1000v.login-password.1" oe:value="pwn_m3_d4ddy"/> ``` Following the specified flag format, this was the flag: `nite{pwn_m3_d4ddy}` Well, after I had a look at the official writeup, I realised that this was not the intended method for this challenge, you can read the official writeup here: [und3rC0VEr Solution](https://github.com/Cryptonite-MIT/niteCTF-2024/tree/main/misc/und3rC0VEr/solution)