Dosis Network Down

Difficulty:
Direct link: Dosis Network Down

Objective

Request

Drop by JJ's 24-7 for a network rescue and help restore the holiday cheer. What is the WiFi password found in the router's config?

Janusz Jasinski

Solution

Janusz said the gnomes brought the neighborhood Wi-Fi down and changed the admin password.

A URL to access the router web interface was provided. On the website, I noticed that the router was a TP-Link Archer AX1800 Wi-Fi 6 router using the firmware version 1.1.4 build 20230219.

After looking online, I found that the CVE-2023-1389 was associated with that specific firmware version of the router. This vulnerability allows a command injection in the TP-Link Archer AX21/AX1800 web management interface that can allow unauthenticated remote code execution.

I also found a proof of concept at Fortinet advisory. Based on this proof of concept, I gave a try to a command injection.

I got a "OK" response.

This needs to be run twice to see a result, so I ran the command injection again and got the folders on the router.

After a couple of online searches I found that the password resides in etc/config/wireless. A first ls etc revealed folders including a config folder.

The ls etc/config/ revealed the existence of the wireless file.

The cat etc/config/wireless revealed the router configs including the password.

After submitting the password, the objective was added to the achievements list.

Answer

SprinklesAndPackets2025!

Response

Janusz Jasinski

Brilliant work, that. Got me connection back and sent those gnomes packin' from the router.

Now I can finally get back to streamin' some proper metal. BTC tips accepted, by the way..