4. UART shell + System enumeration

1. Gaining a shell

UART shell | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

First, identify the device name of the USB-UART adapter:

$ ls /dev | grep -i usb
ttyUSB0

Next, use picocom to retrieve a shell, with the baud rate as 115200 (a common first guess)

$ picocom -b 115200 /dev/ttyUSB0

Received a log output with non-gibberish text
- this means that the correct baud rate was chosen
A "Hit enter to continue..." message was shown
- From there, we are able to pop a BusyBox v1.7.2 shell

2. System enumeration

List of enumeration steps:

Read through the initial boot logs
Useful commands

View available memory
List available binaries
Identify architecture and stack protections

Firmware version discovery

web interface
nvram

Identify httpd binary location

2.1 Boot logs

Boot version

CFE version 5.100.138.11 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 11/23/11 12:16:38 CST (wzh@cybertan)
Copyright (C) 2000-2008 Broadcom Corporation.

Other useful information

Linux version 2.6.22 (wzh@cybertan) (gcc version 4.2.3) #2 Wed Feb 15 20:33:15 CST 2012
Kernel command line: root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit

2.2 Useful commands

Available memory:

# cat /proc/meminfo
# free

List all the available binaries:

# echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin

# ls /usr/bin
# ls /bin
# ls /usr/sbin
# ls /sbin

Architecture and stack protections:

# uname -u
# cat /etc/version
# cat /etc/banner
# cat /etc/issue

# cat /proc/cpuinfo
# cat /proc/sys/kernel/randomize_va_space

2.3 Firmware version discovery

2.3.1 Web interface (port 80)

We are able to identify the firmware version from the main web page running on port 80:

2.3.2 `nvram` command

# nvram get wps_modelnum

My device is running the firmware version 2.0.02

2.4 `httpd` binary (CVE-2025-60690, CVE-2025-60691, etc.)

# find / -path '*httpd*' 2>/dev/null
# ps w | grep httpd

3. Filesystem permissions

# mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro)
devfs on /dev type tmpfs (rw)
sysfs on /sys type sysfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
devpts on /dev/pts type devpts (rw)

Notice that there are a few "mount points" of the filesystem that are readable + writable (rw). However, there are a few caveats, explained for each part:

rootfs (/)

Shown as read+writable (rw)
However, it maps to the /dev/root partition when the kernel is loaded
Hence, it inherits the permissions of /dev/root, and will be read-only (ro)

devfs (/dev)

read+writable

sysfs (/sys)

Shown as read+writable (rw)
However, it is mainly for the kernel to generate data on the fly
Files can't be created directly, but existing ones (created by the kernel) can be modified

proc (/proc)

Shown as readable+writable (rw)
Similar to the sysfs, files can't be created, but existing ones (created by the kernel) can be modified:
- Eg. echo 1 > /proc/sys/net/ipv4/ip_forward

ramfs (/tmp)

read+writable

Previous3. Hardware interactions Next5. Reverse engineering + Exploit development

Last updated 25 days ago

hashtag1. Gaining a shell

hashtag2. System enumeration

hashtag2.1 Boot logs

hashtag2.2 Useful commands

hashtag2.3 Firmware version discovery

hashtag2.3.1 Web interface (port 80)

hashtag2.3.2 nvram command

hashtag2.4 httpd binary (CVE-2025-60690, CVE-2025-60691, etc.)

hashtag3. Filesystem permissions