Hello, this is the /
from a Telstra T-Gateway router. It's as close as I could get to a full copy, there's no proc
, sys
, dev
etc, as I ripped it out through samba.
Sharing this in case someone else wants to root it. I haven't yet, hopefully will soon. I can tell you, it's no Netgear, this thing seems fairly alright for a router, security wise.
Followed a symlink!
Okay, here's a step by step:
-
Get a USB flash drive. Format that bad boy as ext4.
-
On the USB, make a symlink to root (
ln -s root /
). -
Plug the USB into the router. Make sure filesharing is enabled.
-
Here comes the tricky part.
- On Windows, you should be able to go to
\\10.0.0.138\usbdisk
just in explorer, and then click through to the symlink we made on step 2. - On Linux, I seem to remember you had to mount it like
mount.cifs -o nounix //10.0.0.138/usbdisk /mnt/evil
, then you could access the fs root through/mnt/evil/name_of_usb/root/
. If you mount it without the-o nounix
, the symlink will actually point at your computer's root.
- On Windows, you should be able to go to
-
Copy it over with copy and paste (windows), or on Linux, you can do it the leet way like
rsync -Pa /mnt/evil/name_of_usb/root ~/wherever/you/like/
. (I no longer have access to the vuln router, so I can't test these for you)
Well, is your router up to date? If so... then no. The vuln works on 15.1 Coral (which the router came with), but I've since updated to 15.3 Turquoise, and it doesn't seem to work anymore. Looks like they've fixed the samba permissions.
Sure did.
- My pppoe username/pass have been changed to "pppoe-username" and "pppoe-password"
- The router's ethernet mac is now
de:ad:06:66:00:00
. - The router's wifi mac is now
de-ad-06-66-00-01
. - The router's serial number is now
1234ABCDE
(the real serial has the same number of numbers and letters).
- All those
.lp
files in/www
? Lua Pages. (I didn't know that, at least) - There's a few directories missing, like
/rom
(which did not feel like copying over),/proc
etc. - Also a few files I couldn't read, like
/etc/shadow
, that sort of thing. Plus a bunch of files in/custo
IIRC. - I think
/var
was a symlink to/tmp
, or the other way around. - Samba and nginx both run as
nobody
. (hmmm) - All the files/folders are
uid=0 gid=0
and completely unwritable, except for a few that wereuid=65534 gid=65534
(nobody):/var/run/assistance
and contents; and/var/lib/nginx/body
. /tmp
was writable, and folders made there seem to persist across reboots.- I also posess a random coredump from something called
minitr064d
, too lazy to edit the sensitive info out right now, but contact me if you'd like it. - This device had never been online when I did this. It was 10.0.1.138/24, not 10.0.0.138.