1. binwalk firmware.bin
![iot1](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot1.png)
2. dd if=firmware.bin skip=538952 bs=1 of=firmware_squash.sqsh
![iot2](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot2.png)
3. unsquashfs firmware_squash.sqsh
![iot3](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot3.png)
4. ls
![iot4](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot4.png)
5. cd squashfs-root && ls
![iot5](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot5.png)
6. #check the architecture
file bin/busybox
![iot6](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot6.png)
7. #check users and passwords
cat etc/passwd etc/shadow
![iot7](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot7.png)
8. #get scripts during device initialization
cat etc/inittab
![iot8](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot8.png)
9. #mount the IoT system into the PC
mount –bind /proc /media/psf/Pentesting/Platforms/HTB/challenges/squashfs-root/proc
mount –bind /dev /media/psf/Pentesting/Platforms/HTB/challenges/squashfs-root/dev
mount –bind /sys /media/psf/Pentesting/Platforms/HTB/challenges/squashfs-root/sys
![iot9](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot9.png)
10. #emulate the firmware
chroot . /bin/sh
![iot10](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot10.png)
11. #double check the architecture
uname -m
![iot11](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot11.png)
12. #boot the device
/etc/init.d/rcS S boot
or
#launch the prompt
![iot12](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot12.png)
13. #check the open ports
netstat -tln
![iot13](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot13.png)
14. #now you can connect through the browser
15. #if you change the firmware and want to upload it back, generate the updated squash
mksquashfs squashfs-root firmware_patched.sqsh -comp xz
![iot15](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot15.png)
16. #create the firmware file. Make note about “seek” parameter – the same from the step 2
dd if=firmware_patched.sqsh of=firmware_patched.bin conv=notrunc seek=538952 bs=1
![iot16](https://www.ivanglinkin.com/wp-content/uploads/2024/05/iot16.png)