Photon Lockdown

2 minutes to read

We are given a folder called ONT (which stands for Optical Network Terminal) with three files:

$ ls
fwu_ver	hw_ver	rootfs

$ cat fwu_ver
3.0.5

$ cat hw_ver
X1

$ file rootfs
rootfs: Squashfs filesystem, little endian, version 4.0, zlib compressed, 10936182 bytes, 910 inodes, blocksize: 131072 bytes, created: Sun Oct  1 07:02:43 2023

File system extraction

We can use unsquashfs or sasquashfs to decompress the file system, but 7z works as well:

$ 7z x rootfs

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs LE)

Scanning the drive for archives:
1 file, 10936320 bytes (11 MiB)

Extracting archive: rootfs
--
Path = rootfs
Type = SquashFS
Physical Size = 10936320
Headers Size = 18934
File System = SquashFS 4.0
Method = ZLIB
Cluster Size = 131072
Big-endian = -
Created = 2023-10-01 08:02:43
Characteristics = DUPLICATES_REMOVED EXPORTABLE
Code Page = UTF-8

Everything is Ok

Folders: 44
Files: 865
Size:       33832668
Compressed: 10936320

$ ls
bin  config  dev  etc  fwu_ver  home  hw_ver  image  lib  mnt  overlay  proc  rootfs  run  sbin  sys  tmp  usr  var

Flag

At this point, we can use grep to search for the flag (we know its format is HTB{...}):

$ grep -r HTB .
Binary file ./rootfs matches
Binary file ./bin/tc matches
Binary file ./bin/ip matches
./etc/config_default.xml:<Value Name="SUSER_PASSWORD" Value="HTB{N0w_Y0u_C4n_L0g1n}"/>