by Chloe, November 20, 2024
So, on July 22, 2024, I bought a random router with a screen off eBay. It was certainly a good deal, for 5 bucks. I finally recieved it on August 2, 2024.
I tried seeing if there was anything I could get possible command injection in to no avail. I even tried the classic DMZ method as seen on the MHS815L writeup but that was patched, it appears.
So, eventually, I try searching for anymore info about this device. I stumble upon an XDA thread...
Oh, cool! They managed to pop a login prompt! Maybe I can try this and try root:oelinux123 (the default login for most Qualcomm-powered devices/routers).
God damnit.
Well, after this I create an XDA account and ask for help in the thread. Renate, who has a root shell on their 8800L through ADB (which I can't obtain on my 7730L) generously provides me with the password hashes for the users "mifi" and "root".
After a bit, I hand off cracking those hashes to 2 NVIDIA GPUs.
It took a while though, and by the time one of the hashes were cracked I was already on vacation...
The password to "mifi" was eventually cracked. The password was "world2k". Renate gladly tested while I couldn't and the password worked.
So, by the time I came back home, I logged into my hotspot with the "mifi" account. It worked! So clearly this thing is similar to the 8800L.
I start looking for anything writable for privilege escalation, and I eventually find some stuff in /opt/nvtl/tmp/router2.
sidenote: there was supposed to be a deinit_dmz.sh file here, but this screenshot was taken ahead of the rooting process. just pretend it's there. xDDDD
Is this it? Is this what finally gets me to root?
I eventually run "while true; do cp /home/mifi/a.sh ./init_dmz.sh; done".
The contents of a.sh:
I go into the WebUI, deactivate and reactivate DMZ a few times, and after that I stop running the while-true command because I was scared that it was going to kill the internal storage.
Then, I try connecting to ADB on the router IP and popping a shell:
Holy shit... It's finally over.
Anyway, here's the specs for anyone who wants to know:
That concludes the writeup! I hope you enjoyed reading it! <3