by suchblue, October 13, 2024
Credits: chloe / vea.st for letting me publish this on their blog <3
yesterday, i was thinking whether or not i could do anything interesting on a wifi extender that I bought a few months ago from eBay..
i think the fact this writeup exists is already a clear indication of whether or not i was able to achieve that
We get greeted with this glorious WebUI.. this SCREAMS vulnerable.
i proceeded to go onto the AP settings tab, where I was able to edit the requests and try to fit
$(telnetd) into everything possible..
..but that wasn't even needed! let's do a quick nmap
telnet is already open! how nice of them.. I wish it was always really that easy..
unfortunately it is never that easy, it wouldn't respond to any shell commands since it seems like
we are in a kind of jail... until I try to execute a restart command?
after some quick trial and error.. i was able to find that the string "art" is what was causing the
command execution. how did i manage to get a shell simply because i tried running a linux
command that doesn't even exist (you'd usually run "reboot")? i have no clue
now that we have a shell, let's snoop into /www and make a hacked.shtml file
it works, lighttpd doesn't seem to be a big fan of goofy maltese characters though LOL (the luci-
static folder is empty, they nuked luci and uhttpd for this weird lighttpd setup)
and if you were wondering, yes, this is running openwrt on mips. root & admin password hashes
are $1$7rmMiPJj$91iv9LWhfkZE/t7aCBdo.0 and $1$mUfAps1u$C6dhcb2ocwx89xs9ofhJX.
respectively.
if we take a quick peek we can see that telnetd was running an executable going by the path of
/bin/connull (the funny jail), and i also found another file called /bin/backgroud which definitely
doesn't come with openwrt (after checking the strings of the executable i think it is what the
webui uses to control settings).. both executables are attached in this writeup.
and i think that concludes the writeup! i hope you found this interesting and you learned
something new :D i once again thank chloe for letting me publish this on her blog
Attached: connull (4.38 KB)
Attached: backgroud (6.99 KB)