I came from a village where internet connectivity is very poor and you can hardly use mobile data to operate your laptop. When i used to visit my village in vacations to meet my parents i used to face a lot of internet problems So planned to buy a broadband connection from a near by internet service provider. I paid around 130$ to get a connection and paid 2 months advance bill so i can work without any problem. First 10 days it was fine but on 11th day the internet connection started fluctuating, on 12th day the whole day i didn’t got internet and from 15th day the internet connection is totally off for a month till my vacation end’s. I called them, went to their office but they ignored me even they didn’t even refund the bill i paid them in advance. I got really frustrated and angry.
When i used to visit their office i saw a “High Speed Wireless Access point” on the top of their office which i guess they use to provide wireless broadband connection to their clients whom they cant provide wired connections (remote villages). As its a airFibre network so it doesn’t have any encryption. Just establish a SP2P bridge and you are inside the network. If you think its an out dated technology then you are wrong just check your broadband provider he maybe using it too 😛
I got an idea and was damn sure it was gonna work. So on the next visit to my village i bought a second hand CPE from OLX and setup it on the rooftop of my house. 😉
from official resources i have learned how to setup and configure this device. And i knew that i have to put my CPE to accurate angle to make it work perfectly. I used google map to determine the accurate angle.
in the above picture blue circle is my house (CPE) and red marked area is the place where Wireless access point is situated. Below is the configuration of my CPE so i can interact with the access point.
Well now i was able to interact with the access point. When i opened 192.168.10.1 i was served with this.
From the page source i found its running a bandwidth management software name “SmartGuard” version 6.3.96. Got a public exploit for version 6.3.2 but that vulnerability is patched in my case as its the latest one. Downloaded the latest version and hosted it on my local server. After a day of white box penetration testing i found a Xpath sql injection vulnerability on a parameter. Wrote a simple script to extract the password.
Ran the script against the target and got the md5 hashed password.
Decoded it and got the password of admin 😛
Logged in as administrator
The application was running as root so i got a reverse shell too 🙂
PS: I didn’t harm their infrastructure or did anything bad to them. Its their bad that they didn’t able to keep commitment towards their clients. The bug has been reported and fixed by the company.
thanks for reading
follow me on twitter @spidersec