Getting root access on ZyXEL VMG1312-B30B

Nothing special, just use undocumented command sh and you are there (I found it out by a mistake):

danman@silverhorse:~$ nmap 10.0.0.138

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 22:54 CEST
Nmap scan report for 10.0.0.138
Host is up (0.013s latency).
Not shown: 996 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds
danman@silverhorse:~$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
ZyXEL VDSL Router
Login: admin
Password: admin
 > help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
loglevel
logdest
virtualserver
ddns
df
dumpcfg
dumpmdm
meminfo
psp
kill
dumpsysinfo
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
snmp
sysinfo
tftp
wlctl
arp
defaultgateway
dhcpserver
dhcpcondserv
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
rip
igmp
wlan
telnetd
natp
sysstate
sipalgctl
celld
autoexec
fileShare
igmp
btt
ledctl
 > sh
shell Password: admin
~ # ls
bin         etc         linuxrc     proc        tmp         vmlinux.lz
data        firmware    mnt         sbin        usr         webs
dev         lib         opt         sys         var

Continue reading Getting root access on ZyXEL VMG1312-B30B

Turning ST-Link programmer into IR controlled USB keyboard

As I promised last time, I’m going to continue with st-link programmer clones. This time I wanted to use mbed which has some ready made libraries for utilizing USB and since it was very comfortable to use DFU upload with arduino library, at first I checked if it is usable with mbed too.

Continue reading Turning ST-Link programmer into IR controlled USB keyboard