T-Mobile TMOHS1: from WebUI to root in 11 minutes

by Chloe, June 6, 2024

so (basically yesterday), i got bored and remembered i had a few portable routers. specifically the T-Mobile TMOHS1 that they (used to?) provide from the T-Mobile Test Drive program. i dug it out and turned it on and reset it. i logged into the wifi network and got on the router's web page. are you kidding me i logged on. this is CLEARLY the most secure router i've ever seen in my life i started peeking around the settings. no diagnostics/ping tool page. not nice! until i realized... i could just... shove $() into every textbox possible until it runs... and i did exactly that. i got to the WPS PIN page. that concludes everything! fuck tmobile! afterthoughts: i started looking through the fs and decided to go through /etc/shadow. i found the root password within 10 seconds. apparently google is your friend.