Today I will teach you how to obtain the root password from a WiFi router firmware image.
Why I would waste my time in doing so?
- Root passwords from a firmware can be used in some circumstances to obtain access to a router system via an serial port or other services.
- Potential backdoor left by developers as found here:
- This tutorial is intended to be a basic one in order to learn fun and useful stuff
- Good for CTF training.
Steps to getting the password:
- Download the latest available version at: https://www.tp-link.com/en/download/TL-WR740N_V7.html#Firmware
- binwalk -e wr740nv7_eu_3_16_9_up_boot\(160708\).bin
- Go to “_wr740nv7_eu_3_16_9_up_boot(160708).bin.extracted/squashfs-root/etc/” and open shadow file.
- Bruteforce or obtain from Google the equivalent password for the given hash.
In other words:
The password for the given hash (root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::) is squal to “shoadmin”.