HackFortressOS Adventures with Buildroot

About The Project

Arch Cloud Labs’ last three blog posts were diving into different aspects of IoT/embedded vulnerabilities. Comining off of these bug hunting adventures, I wanted to build a unique set of Capture The Flag (CTF) challenges for this years Hack Fortress. To do this, I referenced OWASP’s Top 10 for IoT and Buildroot to build the custom operating system for a Raspberry Pi 1 that was deemed “HackFortress OS”. This project ultimately this produced a series of challenges that covered the following items from the OWASP IoT Top Ten:

  • Hardcoded passwords/keys (1/10 on OWASP IoT 2018)
  • Insecure network services (2/10 on OWASP IoT 2018)
  • An insecure update mechanism (4/10 on OWASP IoT 2018)

Note for competitors: this is not a walkthrough of challenges, but a walkthrough on building HackFortress OS

Buildroot - Make, but for Entire Systems

Buildroot is a build system that enables end users to build custom Operating Systems for a given embedded platform. Obtaining the latest release and listing the contents of the board directory show the various platforms Buildroot supports. Below is a truncated output of boards supported. Notably, we see “raspberrypi” as in the first Raspberry Pi made. A platform that’s over ten years old , and just the appropriate board to build an a vulnerable embedded system to let hackers poke at for the weekend.

ls ~/buildroot/board/
minnowboard  openblocks  qemu           raspberrypi2      raspberrypicm4io-64  sipeed             
nexbox       orangepi    qmtech         raspberrypi3      raspberrypizero2w    solidrun          
nezha        pandaboard  radxa          raspberrypi3-64   roseapplepi          spike            
octavo       pc          raspberrypi    raspberrypi4      seeed                stmicroelectronics  
olimex       pcengines   raspberrypi0   raspberrypi4-64   sheevaplug           synopsys       
olpc         pine64      raspberrypi0w  raspberrypicm4io  sifive               technexion

With raspberypi identified as the target system, the next step is to build a default configuration to modify to desired needs.

 buildroot $> make raspberrypi_defconfig
#
# configuration written to /home/dllcoolj/buildroot/.config
#
➜  buildroot

Those familiar with building custom kernels and the ncurses view provided by make menuconfig will be right at home with this next section. The initial configuration menu contains numerous submenus to that allow Buildroot user’s a lot of flexibility when it comes to building a custom image.

  • Toolchain (compiling options)

buildroot-01.png

  • Build options (including specific security feature)

./buildroot-02.png

  • System configuration (user information/locale information)

./buildroot-03.png

  • Kernel (specify kernel options you want to configure)

./buildroot-04.png

  • Target packages (binaries,libraries on disk)

For the Hack Fortress team disabling security hardening features.