Getting root password from firmware image ( TP-Link WR740n example)

Mar 7, 2018 · 2 min read

Today I will teach you how to obtain the root password from a WiFi router firmware image.

Why I would waste my time in doing so?

  • Root passwords from a firmware can be used in some circumstances to obtain access to a router system via an serial port or other services.
  • Potential backdoor left by developers as found here:
Gas Stations Hardcoded Passwords (CVE-2017–14728)
  • This tutorial is intended to be a basic one in order to learn fun and useful stuff
  • Good for CTF training.

Steps to getting the password:

  • binwalk -e wr740nv7_eu_3_16_9_up_boot\(160708\).bin
before binwalk -e
after binwalk -e
  • Go to “_wr740nv7_eu_3_16_9_up_boot(160708).bin.extracted/squashfs-root/etc/” and open shadow file.
  • Bruteforce or obtain from Google the equivalent password for the given hash.

In other words:

The password for the given hash (root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::) is squal to “shoadmin”.


Written by


A common IT Security Specialist, Hacker, Scout and much more.

More From Medium

Also tagged Pentesting

Related reads

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade