Hello Everyone, I’m “ABIDA Fahd ” from Java~Drink3rs Team, I'm a software engineer and a bug bounty hunter, in this article, I will show you how I was able to penetrate the administration system of my university and how I discovered a critical old bug in some DVR products.
The story starts when I was in mathematics class, I get bored and I had no wifi connection then I said why not to try cracking some wifi, it will be fun, I turned up my laptop and I start looking for available networks on the area…scan completed and I found some wifi with WP2 encryption which is very hard to crack during the limited time of the course, then I saw a wifi network called ‘WiFI’ the name was attractive to me actually I don’t know why it was a deep felling=), I start collecting information about the network… and ‘BINGOO’ I found that the WPS option is activated in the router :$, it's the most easier and the most dangerous way where an attacker can get into a network.
So used a beautiful tool called ‘Waircut’ to exploit the WPS vulnerability in a brief time, and I got the password quickly.
Now I ’m connected to the target and its time to Dig more 😛 I needed to know who’s the owner and where the wifi comes from, is it from the university or from a neighbor house?
To begin the mission I started a simple scan with ‘Nmap’ tool in objective to check other machines connected with me and I got this!
A lot of machines but I’m showing you here the important ones :
192.168.1.244 ‘GPON Home gateway’
192.168.1.31 ‘D-link router’
The Printer was easy to access in, there was no password which is so dangerous, the two next Ips as you can see where simple routers and nothing special, but the last one were so interesting.
I copied the last Ip to my browser to check if its a service-machine, and BOOM I got this!
I don’t hide you that I was surprised and happy at the same time, shocked because I had no idea what’s this login panel about! there is no label no description nothing to guide me just this stupid empty text field…
The first idea who comes to my mind is to try random login and passwords hoping it works, but I said hell no this is so blind, why not to find a way where I can know where this panel came from, then find a way to login smarter than brute force, I had to use the magic combination
‘CTRL + U’ to see if there is something to exploit in the source page, but as everyone expected I found nothing :3…
but with some positivity, there is a word inside the source code written in chines language 🎃 it may be a good indicator to something, so let’s give the word to the translator.
as you can see the word is “net surveillance web” which mean something who has a relation with security, maybe some kind of firewalls or surveillance cameras…
I had to use google to know more about this and its ends by surveillance cameras as we thought!
I spent about two days searching about how to reset the password of this device how can I bypass it or how the owner can change it if one day he lost it, you may ask your self why two days, well! the result is so funny there is no way to reset the password by the user, there is no reset button, actually there is nothing, I noticed this from a lot of users talking about there experience in forums, I can say its a strategy adopted by the seller company to win more money by fixing this problem to you, if one day you forgot you're password, a question comes to my mind after reading users comments “ if users can’t reset the device options, how can the company do it ? I'm sure there is a hidden way that the company use, and I'm sure is not that complicated to find.
I got back to the web interface I already found before, and I tried some users and passwords randomly like “Admin, Admin” “Admin, Password”, “Admin,12345”… six tries with no result, but at the 7 try something awesome happened, I have no idea how it's possible or why, but it's just happened I got access to the panel!
As you can see, I’m inside and there is 24 cameras and some options to discover later, I was excited I tried to see if I can display one of thous cameras but unfortunately, this panel is just useless and nothing work inside.
The way I used to log in with, is maybe a bug in the system or an option if we don’t have the real password or just to check how the panel looks like, anyway 7 tries of a random password can lead you to this x)
well, the story can’t stop here ofc, if you focus a little on the image I posted before you can notice something called Version, let's discover it.
it shows the version of the device and believes me this was the first step to finding the right way in this penetration attempt.
So what a hacker can do with a version of a device? One big answer is to collect more information and search for vulnerabilities already found in the target, I used google again to check if there is something interesting about this device version “V4.02.R11….”
without talking about all the result given, one of them was interesting, it's about another company who sells the same device, this beautiful company give a lot of information about the product and also the firmware file of the device I'm looking for x).
I wget the firmware related with my version “V4.02.R11….” and I said what if I can reverse engineer this? maybe I can find a way to delete the authentification or to customize the device or something…
The file downloaded was ‘.zip’ nothing special, unzip blabla.zip can do the job…
so what's inside this?
3 files inside .bin, .txt and .img let's start with the first one the .bin file how can I deal with it or how can I open it? I used many tricks but nothing works, then I said it's it really a binary file O.o? well let's check this by the Command file which is a powerful technique to know the nature of a file in Unix systems
Heuh the result is funny, you can notice that is just another zip file x)
heein, the content is so interesting, a lot of things to discover but to make the article shorter and sweet for you Mr reader I will jump directly top the InstallDesc file which is a .txt file.
The content is clear enough, a kind of Upgrade commands that burn the fils founded before in the device, the other files are a little bit complicated to understand, and after a lot of research I found the correct file to dig into, its the ‘romfs-x.cramfs.img’ let's file it again as we did before!
hmm! I can see here something like an image file of a Linux Os which can make you think about a lot of possibilities like maybe this firmware is a Linux system…
so to know more about the file I will use a special tool called Binwalk, a very useful one it can do the job of the file command, the HEX-DUMP command and more things than you can imagine.
Binwalk gives more information about the image file like the 64 bit of header image and it also says that there is a hidden data in CRC : …
Binwalk tool has a nice option that can automate all the work you can use ‘Binwalk -Me DVRfilename.bin and bingo!
It will extract all data inside our Bin file...
The result will be stored in a new file for me, it was ‘_romfs-X.cramfs.img.extracted’ so let's see what inside.
And if you know where to search you will get something interesting, Lets Cd to the ETC/PASSWD …
I used Hashcat to decrypt the password you can use ur own technique,the Plain text version of the password is: “MDZ11“
So and the end I can say that the company uses a telnet connection with the root session to edit or update the product …
I hope this article is helpful for people who suffer from this kind of problems
share it if you enjoyed it ❤