Recently I was on vacation with my girlfriend. One night I couldn’t sleep so I decided to play around with the hotel WiFi, armed of my phone only.

As first thing, I tried to reach the router, so I opened my web browser and typed 192.168.1.1 without knowing the class of my IP. Surprisingly it worked and I was in front of the webpage of a modem/router owned by a bigger Italian operator, that asked me to insert username and passwords. “No segregation ah, ok..”. So I typed admin:admin and voilà, I was in. It was too easy.

Then I remembered the webcam at the front desk in the hall and I asked myself “How cool would it be if I could reach and take that webcam?!”.

So, instead of searching through all the connected devices and ports, I decided to use an app to view the streams of the webcams that automatically finds all the webcams connected to a network.

The webcam was a Netwave and was reachable at the address 192.168.1.99.

Typed the address into the browser and it asked for username and password. This time admin:admin didn’t worked.

I decided to try the credentials used by “hackers” to build up the (in)famous Mirai Botnet aaand… nothing. No luck this time.

So, I searched on Google and I found that the model of this webcam suffered of memory leak, here the exploit.

Great! But, how could I use it from my smartphone?

Examining the exploit code, I found that essentially I only needed to make a GET and strings the output for post examination. The password should have been around the 10000th line. So I looked for a good terminal emulator for Android and I found Termux (if you don’t already use it, check it out because is really awesome!), then I typed

wget http://192.168.1.99//proc/kcore | strings | nano

Checking the memory leak I couldn’t find the password, so I searched for the word “admin”, because I thought that the admin is the default user and the password is usually near the username and, lucky me, it was like I guessed!

As you can see above, the password was sandokan.

I played a little bit with the webcam. Here is the webcam reflected in the windows of the hall.

The next morning I warned the staff of the hotel about the problems :)