Hacking a Netis WF-2404 Router with a Flipper Zero (cont.)
Day 2: Exploring the filesystem and cracking the root password
Picking up where we left off…
A couple of nights ago, I bought a piece-of-crap router. I wanted to look at the Flipper Zero’s hardware testing capabilities. I purchased a Netis WF-2404 router, which appears to have been released around 2010, but people are still selling (and maybe even using) these things.
My first task was to open the router up, look at the main circuit board, and identify potential avenues of attack. I found a 12-pin JTAG port and two, teeny tiny vias that I identified as UART RX and UART TX based on the information I got from the RTL8196C’s datasheet. Since using the Flipper to speak JTAG to the chip is a bit more involved, I figured I would try the UART route first. Once I determined the baud rate, I was able to get a data to my testing machine from the TX pin, but I was not able to get a stable connection to the RX pin. These test points are really really tiny, and my test leads were a little too beefy. So I purchased some hook test leads online and waited…
Test leads arrive… and are still too big
The hook clip test leads that I bought were still way too large to grab onto the test points or the pins themselves. But I was not willing to wait to order pogo pins, so I decided to improvise. I removed the hook attachment, exposing the stranded wire. Then, I separated the strands so that only one was sticking out.
In order to avoid jostling, I made sure to turn my Flipper on and open the USB-UART Bridge app ahead of time. I also made sure to plug the power adapter into the router and a surge protector with the power off. That way, I could cut or supply power with the surge protector power switch as opposed to the plug on the router. I plugged the jumper wire connector ends into my Flipper, and since I don’t own a micro-soldering setup or a PCBite, I had to carefully place each wire stand on their respective test points. Here is a photo of my setup:
With everything in place, I opened a terminal instance using the following command:
$ sudo screen /dev/tty.usbmodemflip_Eopo1 38400Then, I switched the surge protector power on and waited for my shell.
Let’s try this again
=============================
<Probe SPI #0 >
1.Manufacture ID=0x0000001c
2.Device ID=0x00000031
3.Capacity ID=0x00000016
4.EON SPI (4 MByte)!
5.Total sector-counts = 1024(sector=4KB)
6.spi_flash_info[0].device_size = 22
01_8198_SFCR(b8001200) =1f800000
01_8198_SFCR2(b8001204) =0bb08000
01_8198_SFCSR(b8001208) =c8000000
---RealTek(RTL8196C)at 2010.12.14-16:16+0800 version v1.1c [16bit](390MHz)
no sys signature at 00010000!
no sys signature at 00020000!
Jump to image start=0x80500000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
RTL8192C/RTL8188C driver version 1.4 (2010-08-11)
serial console detected. Disabling virtual terminals.
init started: BusyBox v1.00-pre8 (2010.12.13-07:23+0000) multi-call binary
BusyBox v1.00-pre8 (2010.12.13-07:23+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
39
8.10.74.da.a2.92.0.0.0.0.0.0.
da, a2 92,tڢ�
killall: udhcpc: no process killed
SIOCGIFFLAGS: No such device
bridge br0 doesn't exist; can't delete it
SIOCDELRT: No such process
SIOCDELRT: No such process
udhcp server (v0.9.9-pre) started
open logs file
Unable to open /var/lib/misc/udhcpd.leases for reading
Unable to open /var/lib/misc/udhcpd.leases for reading
if:br0, mask:255.255.255.0, getInAddr()'s return:1
[udhcpd_main:630:dhcpd.c], server_config.auto_time=7200
SIOCSIFFLAGS: Cannot assign requested address
open logs file
udhcp client (v0.9.9-pre) started
IEEE 802.11f (IAPP) using interface br0 (v1.7)
SIOCDELRT: No such process
MiniIGD v1.07 (2010.07.05-08:51+0000).
script is: /usr/share/udhcpc/eth1.sh
doamin=0
232
/proc/sys/net/ipv4/netfiter/ip_conntrack_tcp_timeout_close_wait: cannot create
253
254
cdrom_wizard start
255
Running ...
266
270
270
# help
Built-in commands:
-------------------
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait
# login
login: command not found
# echo "hello" > /tmp/1.txt
# cat /tmp/1.txt
hello
# echo "hello" > /etc/1.txt
/etc/1.txt: cannot create
# echo $USER
root
# cat /еtc/passwd
root:abSQTPcIskFGc:0:0:root:/:/bin/sh
nobody:x:99:99:Nobody:/:
# A root shell! And oddly, password hashes are stored in /еtc/passwd, and /еtc/shadow does not exist? In fact, a lot of commands are not available on this BusyBox shell. Even some of the commands listed in the help menu return a <command> not found error. But we have echo and we have cat, which is enough to grab the password hash of the root user. Let’s see how John the Ripper handles this hash.
john hashes.txt
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: MaxLen = 13 is too large for the current hash type, reduced to 8
realtek (root)
1g 0:00:00:12 3/3 0.07794g/s 3495Kp/s 3495Kc/s 3495KC/s realka2..reasll5
Use the "--show" option to display all of the cracked passwords reliably
Session completedThis password hash takes all of 12 seconds to crack, and we get the root password realtek.
Exploring elsewhere
We already have a root shell and the root password, and we can create files in the /tmp directory, but the file system is read-only. Is there a way to bypass this somehow to write to a persistent directory? We can’t remount the filesystem because the mount command does not appear to be available. The BusyBox shell exposed a limited command set that does provide some potential avenues. There is the readonly command, but I am not sure how it works and this documentation was not very helpful. Here is what the command output looked like on the shell:
# readonly
# readonly false
readonly false
# readonly foobar
readonly foobar
readonly false
# readonly help
readonly help
readonly foobar
readonly false
# readonly -h
-h: bad identifier
# readonly --h
--h: bad identifier
# readonly -help
-help: bad identifier
# readonly --help
--help: bad identifier
# man readonly
man: command not foundSo it just appears to just spit back a history. In the meantime, the flash command seems to be an interesting and potentially useful. This command was not listed in the help menu, but I found it by looking around, particularly this post looking at a later firmware firmware version for the RTL8196C but also here, here, and here. Maybe it could be used to talk directly to the EN25F32, meaning I don’t need to desolder the flash memory!
# flash
Usage: flash cmd
option:
cmd:
default -- write flash parameters to default.
get [wlan interface-index] mib-name -- get a specific mib from flash
memory.
set [wlan interface-index] mib-name mib-value -- set a specific mib into
flash memory.
all -- dump all flash parameters.
gethw hw-mib-name -- get a specific mib from flash
memory.
sethw hw-mib-name mib-value -- set a specific mib into
flash memory.
allhw -- dump all hw flash parameters.
reset -- reset current setting to default.
set_mib -- get mib from flash and set to wlan interface.
param import|export filename -- import or export flash parameters.
# flash allhw
HW_BOARD_ID=1
HW_NIC0_ADDR=081074daa292
HW_NIC1_ADDR=081074daa293
HW_WLAN_ADDR=081074daa292
HW_WLAN_ADDR1=081074daa294
HW_WLAN_ADDR2=081074daa295
HW_WLAN_ADDR3=081074daa296
HW_WLAN_ADDR4=081074daa297
HW_WLAN_ADDR5=081074daa298
HW_WLAN_ADDR6=081074daa299
HW_WLAN_ADDR7=081074daa29a
HW_REG_DOMAIN=1
HW_RF_TYPE=10
HW_11N_XCAP=0
HW_11N_TSSI1=0
HW_11N_TSSI2=0
HW_11N_THER=18
HW_11N_RESERVED1=0
HW_11N_RESERVED2=0
HW_11N_RESERVED3=0
HW_11N_RESERVED4=0
HW_11N_RESERVED5=0
HW_11N_RESERVED6=0
HW_11N_RESERVED7=0
HW_11N_RESERVED8=0
HW_11N_RESERVED9=0
HW_11N_RESERVED10=0
HW_TX_POWER_CCK_A=2c2c2c2b2b2b2b2b2b2b2c2c2c2c
HW_TX_POWER_CCK_B=2f2f2f3131313131313135353535
HW_TX_POWER_HT40_1S_A=2a2a2a2a2a2a2a2a2a2a2a2a2a2a
HW_TX_POWER_HT40_1S_B=2d2d2d2e2e2e2e2e2e2e2e2e2e2e
HW_TX_POWER_DIFF_HT40_2S=0000000000000000000000000000
HW_TX_POWER_DIFF_HT20=0000000f0f0f0f0f0f0f0f0f0f0f
HW_TX_POWER_DIFF_OFDM=1111111010101010101020202020
HW_11N_XCAP=0
HW_LED_TYPE=11
HW_TX_POWER_5G_HT40_1S_A=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_5G_HT40_1S_B=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT40_2S=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT20=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_OFDM=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_WSC_PIN="43284665"
HW_WLAN_ADDR=5b0000000000
HW_WLAN_ADDR1=0000000e2900
HW_WLAN_ADDR2=000000000000
HW_WLAN_ADDR3=000000000000
HW_WLAN_ADDR4=000000000000
HW_WLAN_ADDR5=000000000000
HW_WLAN_ADDR6=000000000000
HW_WLAN_ADDR7=000000000000
HW_REG_DOMAIN=0
HW_RF_TYPE=0
HW_11N_XCAP=0
HW_11N_TSSI1=0
HW_11N_TSSI2=0
HW_11N_THER=0
HW_11N_RESERVED1=0
HW_11N_RESERVED2=0
HW_11N_RESERVED3=0
HW_11N_RESERVED4=0
HW_11N_RESERVED5=0
HW_11N_RESERVED6=0
HW_11N_RESERVED7=0
HW_11N_RESERVED8=0
HW_11N_RESERVED9=0
HW_11N_RESERVED10=0
HW_TX_POWER_CCK_A=0000000000000000000000000000
HW_TX_POWER_CCK_B=0000000000000000000000000000
HW_TX_POWER_HT40_1S_A=0000000000000000000000000000
HW_TX_POWER_HT40_1S_B=0000000000000000000000000000
HW_TX_POWER_DIFF_HT40_2S=0000000000000000000000000000
HW_TX_POWER_DIFF_HT20=0000000000000000000000000000
HW_TX_POWER_DIFF_OFDM=0000000000000000000000000000
HW_11N_XCAP=0
HW_LED_TYPE=0
HW_TX_POWER_5G_HT40_1S_A=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_5G_HT40_1S_B=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT40_2S=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_HT20=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_TX_POWER_DIFF_5G_OFDM=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
HW_WSC_PIN=""
# flash all |grep PASS
DEF_PPP_PASSWORD=""
DEF_PPTP_PASSWORD=""
DEF_L2TP_PASSWORD=""
DEF_SUPER_PASSWORD=""
DEF_USER_PASSWORD="guest"
DEF_DDNS_PASSWORD=""
DEF_VPN_PASSTHRU_IPSEC_ENABLED=1
DEF_VPN_PASSTHRU_PPTP_ENABLED=1
DEF_VPN_PASSTHRU_L2TP_ENABLED=1
DEF_WLAN0_RS_PASSWORD=""
DEF_WLAN0_ACCOUNT_RS_PASSWORD=""
DEF_WLAN0_VAP0_RS_PASSWORD=""
DEF_WLAN0_VAP0_ACCOUNT_RS_PASSWORD=""
DEF_WLAN0_VAP1_RS_PASSWORD=""
DEF_WLAN0_VAP1_ACCOUNT_RS_PASSWORD=""
DEF_WLAN0_VAP2_RS_PASSWORD=""
DEF_WLAN0_VAP2_ACCOUNT_RS_PASSWORD=""
DEF_WLAN0_VAP3_RS_PASSWORD=""
DEF_WLAN0_VAP3_ACCOUNT_RS_PASSWORD=""
DEF_WLAN0_VAP4_RS_PASSWORD=""
DEF_WLAN0_VAP4_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_RS_PASSWORD=""
DEF_WLAN1_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_VAP0_RS_PASSWORD=""
DEF_WLAN1_VAP0_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_VAP1_RS_PASSWORD=""
DEF_WLAN1_VAP1_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_VAP2_RS_PASSWORD=""
DEF_WLAN1_VAP2_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_VAP3_RS_PASSWORD=""
DEF_WLAN1_VAP3_ACCOUNT_RS_PASSWORD=""
DEF_WLAN1_VAP4_RS_PASSWORD=""
DEF_WLAN1_VAP4_ACCOUNT_RS_PASSWORD=""
PPP_PASSWORD=""
PPTP_PASSWORD=""
L2TP_PASSWORD=""
SUPER_PASSWORD=""
USER_PASSWORD="guest"
DDNS_PASSWORD=""
VPN_PASSTHRU_IPSEC_ENABLED=1
VPN_PASSTHRU_PPTP_ENABLED=1
VPN_PASSTHRU_L2TP_ENABLED=1
WLAN0_RS_PASSWORD=""
WLAN0_ACCOUNT_RS_PASSWORD=""
WLAN0_VAP0_RS_PASSWORD=""
WLAN0_VAP0_ACCOUNT_RS_PASSWORD=""
WLAN0_VAP1_RS_PASSWORD=""
WLAN0_VAP1_ACCOUNT_RS_PASSWORD=""
WLAN0_VAP2_RS_PASSWORD=""
WLAN0_VAP2_ACCOUNT_RS_PASSWORD=""
WLAN0_VAP3_RS_PASSWORD=""
WLAN0_VAP3_ACCOUNT_RS_PASSWORD=""
WLAN0_VAP4_RS_PASSWORD=""
WLAN0_VAP4_ACCOUNT_RS_PASSWORD=""
WLAN1_RS_PASSWORD=""
WLAN1_ACCOUNT_RS_PASSWORD=""
WLAN1_VAP0_RS_PASSWORD=""
WLAN1_VAP0_ACCOUNT_RS_PASSWORD=""
WLAN1_VAP1_RS_PASSWORD=""
WLAN1_VAP1_ACCOUNT_RS_PASSWORD=""
WLAN1_VAP2_RS_PASSWORD=""
WLAN1_VAP2_ACCOUNT_RS_PASSWORD=""
WLAN1_VAP3_RS_PASSWORD=""
WLAN1_VAP3_ACCOUNT_RS_PASSWORD=""
WLAN1_VAP4_RS_PASSWORD=""
WLAN1_VAP4_ACCOUNT_RS_PASSWORD=""
#In the meantime, it looks like this exposed that the default password guest is being used, which is well documented in Netis routers.