Getting root password from firmware image ( TP-Link WR740n example)

Today I will teach you how to obtain the root password from a WiFi router firmware image.

Why I would waste my time in doing so?

  • Root passwords from a firmware can be used in some circumstances to obtain access to a router system via an serial port or other services.
  • Potential backdoor left by developers as found here:
Gas Stations Hardcoded Passwords (CVE-2017–14728)
  • This tutorial is intended to be a basic one in order to learn fun and useful stuff
  • Good for CTF training.

Steps to getting the password:

  • binwalk -e wr740nv7_eu_3_16_9_up_boot\(160708\).bin
before binwalk -e
after binwalk -e
  • Go to “_wr740nv7_eu_3_16_9_up_boot(160708).bin.extracted/squashfs-root/etc/” and open shadow file.
  • Bruteforce or obtain from Google the equivalent password for the given hash.

In other words:

The password for the given hash (root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::) is squal to “shoadmin”.

A common IT Security Specialist, Hacker, Scout and much more.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store