I’m trying to gain root access on a cheap DVR that I bought for a CCTV system. The manufacturer has a firmware update image available for download that I was able to inspect using a tool called binwalk and I extracted the rootfs. It looks like a flavor of embedded Linux with Busybox.
I took a look at the /etc/passwd file and it has one line for root with a password hash and a login shell defined. There’s no /etc/shadow file but there is a /etc/passwd- which I haven’t seen before.
I also found an init script that would normally be launching telnetd but it’s commented out.
Can I just generate a new password hash to substitute in /etc/passwd, uncomment the telnetd line and then log in as root with the new password through telnet over the network?
(Of course this is ignoring the possible problems I could run into with flashing the new firmware onto the device and bricking it)
Go to Source
Author: jvergeldedios