router telnet access

[haicen]

I have a Belkin N150 router, which has a few known vulnerabilities. https://www.exploit-db.com/exploits/38840/

Based on the vulnerabilities listed, the best option seems to be the root telnet access. The method works, and a root shell is obtained. I am able to view directories and execute commands. The router itself runs a version of busybox. I understand everything up to this point, but I'm not sure where to go from here. I would like to be able to either obtain the admin page password or be able to reset the password to the default. I am at an utter loss as to how to accomplish this task. The admin web app relies heavily on javascript and a cgi-bin script. I think the cgi-bin script handles all of the authentication through a JSON string.

My attempts to recover the password so far have been attempting to decompile the cgi-bin script using recstudio, but i can only get what looks like assembly code, which i can't read. I have also tried using hydra to brute force the password, but I can't seem to get the parameters correct. I don't know if hydra will even work on this web page since the http-get parameters are encoded in base64 and sent directly to the cgi script.

I don't see any shell scripts or commands that could be used to reset the password via telnet.

Any help or suggestions are very appreciated.

[Mr-Protocol]

How about the reset button on the router?

[cooper]

I don't quite understand what it is you're trying to achieve.

You're root. Reset the password to something you want using passwd and be done with it.