Link: Advent Of Cyber 4 on TryHackMe
What is the flag value after reversing the file firmwarev2.2-encrypted.gpg?
cd bin
binwalk -E -N firmwarev2.2-encrypted.gpg
It's encrypted so we go to the older version:
cd ../bin-unsigned
We run the firmware extractor on it:
extract-firmware.sh firmwarev1.0-unsigned
This yields many files in the fmk folder.
We find the GPG keys and the paraphrase using grep: grep -ri key and grep -ri paraphrase, respectively in fmk/rootfs/gpg and Santa@2022.
We load the private key: gpg --import fmk/rootfs/gpg/private.key and input the paraphrase.
We load the public key: gpg --import fmk/rootfs/gpg/public.key:
We then list the available keys: gpg --list-secret-keys:
We move to cd ../bin and decrypt the firmware with the secret key: gpg firmwarev2.2-encrypted.gpg:
We then enter fmk/rootfs to find flag.txt or we run grep -ri thm to find the flag:
Answer: THM{WE_GOT_THE_FIRMWARE_CODE}
What is the Paraphrase value for the binary firmwarev1.0_unsigned?
We saw this in Question 1.
Answer: Santa@2022
After reversing the encrypted firmware, can you find the build number for rootfs?
From fmk/rootfs we run ls -lah * and find the build number.
Answer: 2.6.31