Skip to main content

metamorphosis

Challenge

Imported from local notes.md.

Solution

Original Notes

metamorphosis

Challenge Summary

  • Given: A packet capture, starting_files/morph.pcap, containing traffic to an old router web UI.
  • Goal: Identify the router manufacturer/model, determine the old firmware version, and recover the new firmware name/version being installed.
  • Constraints: No firmware image was provided directly; all evidence had to be recovered from network traffic.

Initial Recon / Triage

  • Observations:
    • The pcap is mostly HTTP traffic between 192.168.1.101 and 192.168.1.1.
    • Exported HTTP objects clearly show a Linksys/Cisco-style admin interface.
    • The interesting workflow centers on Management.asp, Upgrade.asp, and a final POST /upgrade.cgi.
  • File identification:
    • starting_files/morph.pcap - capture containing the entire admin session.
    • artifacts/http_export/ - HTTP objects exported from the pcap for offline review.
  • Entry points:
    • Router admin pages over HTTP.
    • Firmware upload in the multipart POST /upgrade.cgi request.

Hypotheses & Approach

  • Hypothesis 1: The router model and currently installed firmware version would be visible in the HTML of the admin/upgrade pages.
  • Hypothesis 2: The new firmware name and version would be recoverable from the multipart upload filename in the final firmware upload request.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/dawg2026CTF/metamorphosis
capinfos starting_files/morph.pcap
tshark -r starting_files/morph.pcap -q -z io,phs
tshark -r starting_files/morph.pcap --export-objects http,artifacts/http_export
rg -n "WRT610N|version|firmware" artifacts/http_export/Upgrade.asp artifacts/http_export/Management.asp artifacts/http_export/*.js

Results:

  • The protocol hierarchy showed a small HTTP management session inside the capture.
  • Exported objects included Management.asp and Upgrade.asp.
  • Upgrade.asp displayed firmware version 1.00.00 B18 in the page header and showed the model as WRT610N.
  • Management.asp also contained WRT610NV1_v1.00.00.cfg, confirming the hardware revision as WRT610NV1.

Stage 2

Commands:

cd /root/dawg2026CTF/metamorphosis
tshark -r starting_files/morph.pcap -Y 'http.request.uri == "/Upgrade.asp" || http.request.method == "POST"' -T fields -e frame.number -e tcp.stream -e http.request.method -e http.request.uri
tshark -r starting_files/morph.pcap -q -z follow,tcp,ascii,107
tshark -r starting_files/morph.pcap -q -z follow,tcp,ascii,125

Results:

  • Stream 107 was the GET /Upgrade.asp response and exposed the current firmware version 1.00.00 B18.
  • Stream 125 was the final POST /upgrade.cgi request.
  • The multipart upload contained the filename openwrt-24.10.0-bcm47xx-generic-linksys_wrt610n-v1-squashfs.bin.
  • From that filename, the new firmware is OpenWrt version 24.10.0.

Artifacts Produced

  • artifacts/http_export/ - HTTP objects exported from the capture, including Management.asp and Upgrade.asp.

Flag

DawgCTF{Linksys_WRT610NV1_1.00.00_B18_OpenWrt_24.10.0}