0ki / mikrotik-tools Goto Github PK

devel-login don't work routeros v6.41 x86?

Hello,

I've playing around with your 6.42+ mikrotik (flashdrive) exploit and I was wondering if may it be possible to create a persistent method.
I tried to add to the line that creates the tmp file which is used to execute the mount -o bind command another echo which would output to a new /rw/pckg/defconf when it boots, sort of defconf loop ;)

Something like:
echo "; mkdir /pckg/option; mount -o bind /boot/ /pckg/option; ln -s / /rw/pckg/.root; echo \"\; mkdir /pckg/option\; mount -o bind /boot/ /pckg/option\; ln -s / /rw/pckg/.root\; \" \> /rw/pckg/DEFCONF ;" > /tmp/$JBID

EDIT: The text above was supposed to have several backslash characters trying to avoid the first echo to execute the commands of the second echo which was supposed to be executed only at boot but looks like github doesn't allow this.
Maybe if you try to edit my post, then you can see the backslash characters.

But it hasn't worked. Anyway, I'm not a programmer, just a little bit curious.

Do you think something like that can be done? Maybe something else?

P.S. Thank you for your work! Great tools!

Hello~ I have a question of supported version

If I use exploit-defcon file, I can get shell of ls on that version?

Thank you!!

My RouterOS version is 6.45.3 and I want to extract user data from my backup.
decode_backup script works normally but decode_user reports all data except passwords.
In addition, are shown two parameters (_r20 and _r21) with hexadecimal ascii characters.
Version 6.45.3 is probably not compatible?
Thanks for the support!

After upgrading to 6.41, the /nova/etc/devel-login file does not enable the devel account. The string "devel-login" is no longer found within /nova/bin/login.

is there any tools to decode Winbox communication ?
simple request sent by Winbox :

\x37\x01\x00\x35\x4d\x32\x05\x00\xff\x01\x06\x00\xff\x09\x01\x07\x00\xff\x09\x07\x01\x00\x00\x21\x04\x6c\x69\x73\x74\x02\x00\xff\x88\x02\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\xff\x88\x02\x00\x02\x00\x00\x00\x02\x00\x00\x00

Device: Mikrotik hEX RB750gr3
Firmware: 6.42.2

Reproduction from a fresh clone of this repo, under the exploit-backup folder:

ssh [email protected] '/system backup save name=jailbreak dont-encrypt=yes'
Configuration backup saved
scp [email protected]:/jailbreak.backup ./jailbreak.backup
jailbreak.backup                                                                                                                                             100%   17KB   3.5MB/s   00:00    
./exploit_b.py jailbreak.backup
Done. Now restore from jailbreak.backup.

scp [email protected]:/jailbreak.backup ./jailbreak.backup
jailbreak.backup                                                                                                                                             100%   17KB   3.7MB/s   00:00    
ssh [email protected] '/system backup load name=jailbreak password=""'
System configuration restored, rebooting now

After reboot:

➜ telnet 192.168.88.1
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.

MikroTik v6.42.2 (stable)
Login: devel
Password: 
Login failed, incorrect username or password

Reading #2 it seems like the file pckg/option needs to exist (is that a typo for pkg/option)?

Tried to add thusly:

➜ sftp [email protected] <<END
mkdir pckg
mkdir pckg/option
END
Connected to [email protected].
sftp> mkdir pckg
sftp> mkdir pckg/option

Same behavior following:

➜ telnet 192.168.88.1
Trying 192.168.88.1...
Connected to 192.168.88.1.
Escape character is '^]'.

MikroTik v6.42.2 (stable)
Login: devel
Password: 
Login failed, incorrect username or password

Just noticed the code in the VirtualBox appliance is totally different than what is in the source tree here. Tried it out. It correctly detects my device IP, plays some tones, instructs me to swap cables and then hangs on waiting for device to boot (it does reboot).

Any suggestions on a path forward @0ki? I'm going to start digging into the code for the exploit in the appliance tomorrow to see if I can understand why it is getting hung up.

Hello:
I have tested the jailbreak tool on a tile-arch device with version 6.40.5, 6.40 and 6.41.2 but the device cannot work normally and reboots repeatedly.
So is there anything special when I use the tool on the tile-arch device?
The factory software of the device is 6.40.
Thanks.

Hi there I've been stugging so basically I have a fibre connection to my ont and from my ont to my mikrotik I've established a connection via pppoe but when I connect my device to the mikrotik there's still no internet

Anybody willing to give me some advice I'd really appreciate it thank you

Version is 6.38

now it is possible to decode the file supout.rif into a folder.
make it possible to make a file supout.rif in the reverse order from the folder.

now it is impossible to build from a folder because you need to specify separate sections and file launches.

I don't want to give my private data to tech support. i want to delete all my private data before sending it.

Dear
I am a beginner
how I can use encode_supout.py and decode_supout.py
I have supout.txt and I cannot encode it
I need Command Line to run it
regards

Hi! I just see your slides (http://kirils.org/slides/2017-10-21_MT_Hacktivity_pub.pdf)

I think you can be interested in these my two projects:
https://github.com/BigNerd95/RouterOS-Backup-Tools
https://github.com/BigNerd95/Chimay-Red

I then have a 0day to jailbreak RouterOS without using npk.
We can talk about this in PM.