====== Hacking La Fonera ====== This is the [[http://www.mariomix.net/mariomix-blog/2006/11/hacking-la-fonera-parte-3/|original article]] where I found this recipe. This hack was tested on La Fonera with firmware **0.7.1 r1**. The web interface is vulnerable to a code injection, we will use it to open the internal firewall and to gain access to the TCP port 22 (ssh). Suppose that La Fonera is reachable via Ethernet at the address **169.254.255.1**, we write two html forms on our PC and submit them using the browser. When La Fonera ask you to authenticate, use the default login/password: **admin** / **admin**. The first step will open the port 22 on the firewall:
The second step will start the ssh server **[[http://matt.ucc.asn.au/dropbear/dropbear.html|dropbear]]** (allow several seconds to let the program start):
Now you can enter La Fonera via ssh with root/admin. ===== Mantain ssh access after reboot ===== To keep the ssh server running and the port 22 open after a reboot, do the following: root@OpenWrt:/#mv /etc/init.d/dropbear /etc/init.d/S50dropbear Edit **''/etc/firewall.user''** and decomment the following lines: ### Open port to WAN ## -- This allows port 22 to be answered by (dropbear on) the router iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT Edit **''/bin/thinclient''** and comment-out the last line, where the downloaded script is executed. Add a line to save the script each time it is downloaded (remember to delete them periodically, to save space): # . /tmp/.thinclient.sh cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%H')