In this post, we will take a look at the new PLDT EchoLife HG8145V ONT and show how can we access SSH and Telnet using root account.
Few assumptions and heads-up before we start:
- Assuming we do not know what the root password is and or we have failed cracking the hash.
- I have set my adminpldt account password to “password123” for demonstration purposes.
- You have access to adminpldt account – as you might have already know, upon activation of your account, PLDT Technicians/Engineers seems to change the password via ACS / TR069 remote management, which is another interesting subject.
- You’re doing this at your own risk!
If you’re unable to login using adminpldt, we can assume, that somebody might have changed the password already. You can factory reset your device, granting they didn’t remotely upgraded the firmware yet (yes they can do that!) else the supposed default credentials below won’t work.
username: adminpldt | password: 1234567890
Let’s get started!
1. Access and login to your ONT. Default should be http://192.168.1.1/
2. Navigate to System Tools > Configuration File – Download the configuration file, make sure to set aside the original config file (hw_ctree.xml), just make a copy of it and save as new file e.g. (root_hw_ctree.xml)
3. Open root_hw_ctree.xml using your favorite editor and search for the keyword “<UserInterface>”. Accounts: root, admin and adminpldt should be in there.
4. Copy the hash and salt from adminpldt account to root account as shown below. You can generate hash if you want, but for simplicity let’s just stick with this for now.
5. Save and Upload the modified config file.
5. Your all set! Finally time to test! use your adminpldt password for root [ ssh || telnet <your ont’s ip> ]
So there is a BusyBox Shell.. But upon checking commands and files, it seems the box is locked-down, but this is a good start to find other interesting stuff. Well that’s it for now. Hopefully this helps and as always happy hacking!