Sunday, November 01, 2015

Innatech RG4332


So, I'm a bit bored tonight... I scan my network just for fun and found out something about the unifi router.


So I tried login with root, guess the password.

login as: root
root@192.168.0.1's password:
BusyBox v1.6.1 (2013-12-23 17:22:03 HKT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 Well, that is easy.

 # cat /etc/shadow
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

Looks like this password hashes have been recycled a few times in router firmware.
check it out. Not a surprise I guess. More interesting bits below:

 # ps
  PID USER       VSZ STAT COMMAND
    1 root      1584 S    init
    2 root         0 SW<  [kthreadd]
    3 root         0 SW<  [ksoftirqd/0]
    4 root         0 SW<  [watchdog/0]
    5 root         0 SW<  [events/0]
    6 root         0 SW<  [khelper]
    9 root         0 SW<  [async/mgr]
   74 root         0 SW<  [kblockd/0]
   84 root         0 SW<  [khubd]
  101 root         0 SW   [khungtaskd]
  102 root         0 SW   [pdflush]
  103 root         0 SW   [pdflush]
  104 root         0 SW<  [kswapd0]
  106 root         0 SW<  [crypto/0]
  663 root         0 SW<  [mtdblockd]
  726 root      4428 S    /usr/sbin/mini_httpd -d /usr/www -c /cgi-bin/* -u ro
  730 root      2632 S    /usr/bin/pc
  732 root      1588 S    -/bin/sh
  733 root      4964 S    /usr/bin/logic
  734 root      2560 S    /usr/bin/ip6mon
  735 root      2564 S    /usr/bin/ramon
  736 root      2576 S    /usr/bin/ip6aac
  742 root      1592 S    /usr/sbin/inetd
  744 root      2224 S    /usr/sbin/dropbear
 1412 root      2612 S    /usr/sbin/pppd plugin rp-pppoe.so eth5 user
 1420 root      1204 S    /sbin/udhcpc -i eth8 -m 1500 -f
 1534 root      1984 S    /usr/sbin/dhcp6c -c /var/dhcpv6/dhcp6c_301203713 -f
 1698 root      1204 S    /sbin/miniupnpd -f /etc/upnpd.conf -d
 1921 root      1208 S    /usr/sbin/radvd -C /var/radvd.conf -d 1
 1967 root      2040 S    /usr/sbin/dhcp6s -c /var/dhcpv6/br0.conf -f br0
 2007 root      1320 S    /sbin/dproxy -c /etc/dproxy.conf -d
 2124 root      1244 S    /sbin/udhcpd /var/udhcpd.confge
 6840 root      2280 R    /usr/sbin/dropbear
 6841 root      1592 S    -sh

 6872 root      1584 R    ps

# pwd
/var/log

# cat device_info
Manufacturer: innacomm
ProductClass: RG4332
SerialNumber: RGWINNIN15********
IP: 192.168.0.1
HWVer: RTL8196C
SWVer: RG4332_V2.7.0

There is a samba config file in /etc, but when I try to connect it doesn't work. Not sure what is the purpose of it.


# cat smb.conf

[global]
workgroup = home
netbios name = dsl_route
server string = Samba Server
security = user
local master = Yes
preferred master = Yes
encrypt passwords = yes
smb passwd file = /var/smbpasswd
#private dir = /tmp/smbvar
socket options = TCP_NODELAY
wins proxy = no
log level = 10
load printers = no
guest account = root
log file = /var/log/smblog
max log size = 0
interfaces = 192.168.1.1/255.255.255.0
dns proxy = no
browseable = yes
guest ok = yes
writeable = no

display charset = utf8
unix charset = utf8
dos charset = utf8

public = yes

[usb1_1]
path = /mnt/usb1_1
writeable = yes
browseable = yes
directory mask = 0777
create mask = 0777

I'm getting sleepy, so I'll continue this next time I hope... Bai for now.




Posted by at 3 comments:
Labels: , , ,
Subscribe to: Posts (Atom)