Gaining full root access to the Hyperoptic ZTE ZXHN H298A

Here I will go through the rough and very technical steps to gain root access to this router.

Beware – it is very technical, needs a working GenieACS server and a DHCP server which allows you to set an Option 43 response.

Attack Vector:
The takeover of this router hinges around the default configuration of the router picking up an ACS / TR-069 server from DHCP on the WAN.
ACS / TR-069 is a remote management protocol for routers, SIP phones and other network items. This means we can plug the H298A WAN port into a network we control and respond with our own ACS Server.
Once the router is communicating with our ACS server we can then reset the root password and log into the web admin interface with this root password.

Features Gained:
You gain the ability to edit the WAN settings of the router. Possibly use a 3g dongle as backup and you can configure it to use your own VoIP service.

How:
Install and make sure you have a working GenieACS server. I’m afraid this is a bit of a mission. I installed VMWare Player; debian as a guest with bridged networking to my LAN.

Once debian was up and working I then followed the instructions on the GenieACS documentation to install Node, MongoDB and GenieACS. I also referenced a good summary on Mikrotik’s forum.

Make sure you can bring up your GenieACS UI in a browser using port 3000.. e.g.
http://10.100.1.81:3000 (replacing the IP with the IP you are running GenieACS on, on your LAN).
I had to reboot my debian guest after doing all the install before this web page would work.
I’d also check the port that the router will communicate with.. e.g.
http://10.100.1.81:7547 (This page will give you method not allowed error, but that is expected).

Go into the Admin tab on GenieACS.
Go to Provisions on the left.
Click Show on the default line.
Add the following at the bottom of the existing script:

const password = "wenowknowthis";

const informInterval = 30;
const daily = Date.now(86400000);

declare("InternetGatewayDevice.ManagementServer.ConnectionRequestPassword", {value: daily}, {value: password});
declare("InternetGatewayDevice.ManagementServer.PeriodicInformInterval", {value: daily}, {value: informInterval});

declare("Device.ManagementServer.ConnectionRequestPassword", {value: daily}, {value: password});
declare("Device.ManagementServer.PeriodicInformInterval", {value: daily}, {value: informInterval});

declare("InternetGatewayDevice.DeviceInfo.X_ZTE-COM_AdminAccount.*", {path: hourly, value: hourly});

And then save it. What this does is, along with the other default stuff GenieACS does when a router first communicates, will set the password on the routers ACS “connection request url” to be something we know. This allows easy access to change settings via Genie ACS. If we didn’t do this step then GenieACS would fail to push settings to the router with an authentication error.

We now need to set DHCP Option 43 on your LAN DHCP Server.

On OPNSense you add an option 43, select String from the drop down box and then the value in this format:

01:18:68:74:74:70:3a:2f:2f:31:30:2e:31:30:30:2e:31:2e:38:31:3a:37:35:34:37:2f

Which is
01 (start)
18 (length, in hex, of the url string to follow, windows calculator in programmer mode is your friend here)
68:74:74:70:3a:2f:2f:31:30:2e:31:30:30:2e:31:2e:38:31:3a:37:35:34:37:2f (http://10.100.1.81:7547/ in hex; cyberchef is your friend here to convert to and from Hex).

Save and apply your DHCP config.

Plug in your Hyperoptic router WAN port into your LAN.

Wait for it to boot up – then refresh your GenieACS interface and you _should_ see the Hyperoptic router in there!

Go to the device by clicking on the serial number.
In the grey box below “All parameters” type in AdminAccount.

Click the little pencil icon to the right of “blank” on the password line.
Type in a secure password. If you try and set something like “rob” it will error with task faulted and invalid parameter value. If this happens you need to click on the fault at the top and delete it from the queue.

So after setting a secure password like Underground123! click Queue then Commit.

You should see green status lines saying the change has been sent ok. You can now log into the Hyperoptic router interface using the username root and the password you just set in the last step.

Good luck and I hope this information helps someone :)

https://windows.mouselike.org/windows.mouselike.org/share/dump/2021-12-29%2023_30_23-ZXHN%20H298A%20V1.0.png
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s