https://binreaper.pages.dev/tags/iot/ Recent content in Iot on binreaper Hugo en-us Fri, 13 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-13-born-insecure/ Fri, 13 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-13-born-insecure/ <p>I spent several weeks analyzing the firmware and cloud communication protocol of a popular consumer WiFi camera line. Seven firmware images across six models spanning five years of production — from late 2019 through November 2024.</p> <p>What I found wasn&rsquo;t the kind of vulnerability that gets introduced by a bad commit or fixed in a patch Tuesday. These are architectural decisions made early in the product&rsquo;s life that propagated unchanged across every model, every revision, every year. Shared cryptographic keys with trivially guessable passphrases. A plaintext cloud signaling channel with no integrity protection. An internal command execution daemon that pipes unsanitized input straight into <code>system()</code>.</p> https://binreaper.pages.dev/posts/2026-03-09-htb-cctv/ Mon, 09 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-09-htb-cctv/ <h2 id="tldr">TL;DR</h2> <p>Log into ZoneMinder with default credentials (<code>admin:admin</code>), use CVE-2024-51482 (SQL injection) to extract the bcrypt password hash for user <code>mark</code>, crack it (<code>opensesame</code>), SSH in, then exploit motionEye (running as root on localhost:8765) by forging HMAC-signed API requests using the admin password hash from the config file to inject a command into the <code>on_event_start</code> hook, and trigger it via the motion HTTP control API.</p> <h2 id="enumeration">Enumeration</h2> <h3 id="port-scan">Port Scan</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>22/tcp — OpenSSH 9.6p1 Ubuntu </span></span><span style="display:flex;"><span>80/tcp — Apache 2.4.58 (Ubuntu) → redirects to http://cctv.htb/ </span></span></code></pre></div><p>Add <code>cctv.htb</code> to <code>/etc/hosts</code> and browse to port 80.</p> https://binreaper.pages.dev/posts/2026-03-04-musl-des-crypt-salt/ Wed, 04 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-04-musl-des-crypt-salt/ <p>When extracting <code>/etc/shadow</code> from embedded Linux devices — routers, IoT gateways, cameras — you&rsquo;ll occasionally encounter password hashes that every standard cracking tool refuses to touch. Not because the hash is strong, but because the C library that generated it plays by slightly different rules.</p> <p>This post documents a specific case: DES crypt hashes with a <code>$</code> character in the salt, generated by musl libc on an OpenWrt-based router. The fix is a one-character substitution that makes the hash crackable in seconds.</p>