I’m trying to gain root access on a cheap DVR that I bought for a CCTV system. The manufacturer has a firmware update image available for download that I was able to inspect using a tool called
binwalk and I extracted the rootfs. It looks like a flavor of embedded Linux with Busybox.
I took a look at the
/etc/passwd file and it has one line for
root with a password hash and a login shell defined. There’s no
/etc/shadow file but there is a
/etc/passwd- which I haven’t seen before.
I also found an init script that would normally be launching
telnetd but it’s commented out.
Can I just generate a new password hash to substitute in
/etc/passwd, uncomment the
telnetd line and then log in as root with the new password through telnet over the network?
(Of course this is ignoring the possible problems I could run into with flashing the new firmware onto the device and bricking it)
Go to Source