8

Backstory: I have a Huawei HG8245 router in my house and I want to change the default username/password. I've tried following this guide but the config file always gets reset. My ISP isn't helping either so I'm looking for other ways to accomplish this. The router has telnet access so this seems like a way to change the credentials.

The first shell I gain access to looks like this:

WAP>

Pressing "?" gives me a list of available commands which I've pasted here, the two interesting ones are "su" and "shell". I can't seem to get su access, even after logging in as root (challenge password prompt, and then nothing happens), but shell gives me a proper linux shell.

WAP>shell

BusyBox v1.18.4 (2017-12-26 17:06:34 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

WAP(Dopra Linux) #

Now this is where it gets interesting, BusyBox is installed, but the help command doesn't actually work.

WAP(Dopra Linux) # help
ERROR::Command is not existed

Hitting "?" again gives me another list of available commands which I've pasted here. They are pretty limited but I have access to ls and I can see that /bin actually has a lot of classic linux stuff in it, but I can't seem to run any of it, even busybox. It just throws the cheeky "Command is not existed" error message.

My question is: How can I access these commands (preferably cat and echo)?

Dzeri96
  • 111
  • 2
  • 5
  • `/bin/echo hello` – Rui F Ribeiro Sep 06 '18 at 01:26
  • @RuiFRibeiro "Command is not existed" – Dzeri96 Sep 06 '18 at 01:27
  • https://github.com/ekawahyu/ekawahyu.github.io/blob/master/_posts/2015-05-08-hg8245-internet-backdoor-remote-access.md – slm Sep 06 '18 at 01:28
  • @slm I can't run grep, or /bin/grep even though it exists. That's the whole point of my post. – Dzeri96 Sep 06 '18 at 01:32
  • @slm I also found that link. However, I also find clues of this being a restricted shell. Working in the ISP industry, I would not be surprised if this also has added proprietary routines/backdoors added by the operator. (....) I highly doubt breaking out of this shell is on-topic here. – Rui F Ribeiro Sep 06 '18 at 01:34
  • `echo $PATH` and `echo $SHELL` please – roaima Sep 06 '18 at 16:37
  • @roaima "ERROR: Input para is not right". Running echo with a normal string just returns a "Command is not existed" – Dzeri96 Sep 06 '18 at 16:40
  • What about `ls -lR`? I've been reading [https://forum.kitz.co.uk/index.php?topic=15674.0] – roaima Sep 06 '18 at 16:49
  • @roaima This one works, but the output is massive. Is there anything I should look for? – Dzeri96 Sep 06 '18 at 18:05
  • what about `set userpasswd` ? (or su, then set userpassw ? ) Underlaying system might be unix, but shell (CLI) isn't any "standard" (like sh, bash, ksh). – Archemar Sep 08 '18 at 13:39
  • @Archemar There is actually a "set password" command in the list of available commands, and I've changed root's password, weirdly enough it still gets rejected when I use "su". Changing the default telnet login was a step in the right direction but I still need access to other commands in order to change the password for the web login in a config file. – Dzeri96 Sep 08 '18 at 13:46
  • I can't add an answer so I'll just comment. I'd try `su` followed by `shell`. It did there trick for me. – Maciej Piotr Przepióra Jul 14 '21 at 00:07

0 Answers0