Skip to main content

Zero Auth to Admin: Exploiting Known Vulnerabilites in Real World Pen Tetsts

Illustration of Zero Auth to Admin: Exploiting Known Vulnerabilites in Real World Pen Tetsts
Krystian Działowy

Introduction

During an internal penetration test, I identified an unpatched MikroTik RouterOS device vulnerable to CVE-2018-14847. By exploiting this flaw in the Winbox service, I was able to extract administrator credentials without authentication and subsequently gained full read/write access via FTP and Winbox GUI.

This vulnerability is particularly dangerous due to its low complexity and high impact - it allows complete device takeover with just network access to the Winbox service.

About the Vulnerability

CVE-2018-14847 is a path traversal vulnerability in the Winbox protocol parser. It allows unauthenticated users to request and download the user database (user.dat) from the router’s file system. The file contains credential hashes and sometimes even plaintext passwords, depending on the system version.

Step-by-Step Exploitation

1. Crafting the Exploit Packet

The PoC exploit available, for example, here: https://github.com/BasuCert/WinboxPoC contains hardcoded binary payloads (a and b arrays), which represent Winbox-formatted packets. These packets are crafted to:

  • initiate a connection to the target router (on port 8291 or 206/236)
  • abuse the protocol to request sensitive files using a traversal path (../../../../flash/rw/store/user.dat)
  • bypass authentication entirely.

This is the key portion:

Exploit packet

These byte sequences are then transmitted over a raw TCP socket to simulate Winbox protocol behavior.

2. Retrieving Credentials

After sending the packets, the script uses the function dump() from extract_user.py to parse the binary data returned by the router. The credentials (e.g., admin username and password hash or plaintext) are extracted from the user database.

Sample execution:

Credential extraction

3. Accessing FTP and GUI

With valid credentials in hand, I’m authenticated to:

  • the FTP server, gaining access to logs, configs, and the ability to upload/delete files:

FTP access

  • the Winbox GUI, where i obtained unrestricted administrative access, where I was greeted at the entrance by such a beautiful message:

Winbox GUI access

Final Notes

This case is a textbook example of how one unpatched vulnerability can lead to total infrastructure compromise. Despite being public since 2018, CVE-2018-14847 continues to be exploitable in environments with outdated RouterOS versions.

Finally, my recommendations for the client are as follows:

  • Immediately upgrade RouterOS to the latest stable version.
  • Restrict Winbox and FTP access to trusted IP addresses using firewall rules.
  • Change all passwords - assume credentials are compromised.
  • Enforce strong password policies, disallowing dictionary passwords and weak passphrases (especially related to the company itself!).

Other Insights

Illustration of Filter Injection via Microsoft Graph API in a Custom Application: From Verbose Errors to Account Takeover

Filter Injection via Microsoft Graph API in a Custom Application: From Verbose Errors to Account Takeover

Grzegorz Bronka

During a recent security assessment, it was identified that a client web application integrating Microsoft Entra through the Microsoft Graph API was vulnerable to a novel form of filter injection. This flaw originated in the password reset functionality, where user-supplied input was incorporated directly into Graph API queries without adequate sanitization or validation. Exploiting this weakness allowed bypassing password reset token validation, ultimately enabling unauthorized password resets for arbitrary user accounts. This article details the discovery process and demonstrates practical payloads used to exploit the issue.

READ article
Illustration of Using Malicious Discord Apps to Access User Data Through OAuth2 Permission Grants

Using Malicious Discord Apps to Access User Data Through OAuth2 Permission Grants

Martin Matyja

During a recent red team campaign, we discovered an unusual method of tricking users into potentially malicious activity. One of our client's domains had been forgotten and was still pointing to an IP address owned by a VPS provider. Someone else gained control of that IP by deploying their own VPS instance. As a result, they were able to perform a classic subdomain takeover attack and host their own content on the client's subdomain.

READ article
Illustration of MAC Spoofing Made Easy: Lessons in LAN and Physical Security from a Real Pentest

MAC Spoofing Made Easy: Lessons in LAN and Physical Security from a Real Pentest

Krystian Działowy

During a penetration test for one of our clients, we were tasked with analyzing the risk of unauthorized endpoint access to the internal network, specifically checking whether an untrusted device could connect without prior authorization. We tested exactly that scenario, walking into an open conference room and connecting a laptop using a random MAC address. Although the device received a DHCP lease, access to internal resources was blocked and EDR registered the connection attempt. However, the story didn't end there.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us