Introduction During an internal penetration test, I identified an unpatched MikroTik RouterOS device vulnerable to CVE-2018-14847. By exploiting this flaw in the Winbox service, I was able to extract administrator credentials without authentication and subsequently gained full read/write access via FTP and Winbox GUI.

This vulnerability is particularly dangerous due to its low complexity and high impact - it allows complete device takeover with just network access to the Winbox service. About the Vulnerability CVE-2018-14847 is a path traversal vulnerability in the Winbox protocol parser. It allows unauthenticated users to request and download the user database (user.dat) from the router's file system. The file contains credential hashes and sometimes even plaintext passwords, depending on the system version. Step-by-Step Exploitation 1. Crafting the Exploit Packet

The PoC exploit available, for example, here: https://github.com/BasuCert/WinboxPoC contains hardcoded binary payloads (a and b arrays), which represent Winbox-formatted packets. These packets are crafted to:

• initiate a connection to the target router (on port 8291 or 206/236),
• abuse the protocol to request sensitive files using a traversal path (../../../../flash/rw/store/user.dat),
• bypass authentication entirely.

This is the key portion: These byte sequences are then transmitted over a raw TCP socket to simulate Winbox protocol behavior. 2. Retrieving Credentials After sending the packets, the script uses the function dump() from extract_user.py to parse the binary data returned by the router. The credentials (e.g., admin username and password hash or plaintext) are extracted from the user database.

Sample execution: 3. Accessing FTP and GUI With valid credentials in hand, I’m authenticated to:

• the FTP server, gaining access to logs, configs, and the ability to upload/delete files: • the Winbox GUI, where i obtained unrestricted administrative access, where I was greeted at the entrance by such a beautiful message: Final Notes This case is a textbook example of how one unpatched vulnerability can lead to total infrastructure compromise. Despite being public since 2018, CVE-2018-14847 continues to be exploitable in environments with outdated RouterOS versions.

Finally, my recommendations for the client are as follows:

• Immediately upgrade RouterOS to the latest stable version.
• Restrict Winbox and FTP access to trusted IP addresses using firewall rules.
• Change all passwords - assume credentials are compromised.
• Enforce strong password policies, disallowing dictionary passwords and weak passphrases (especially related to the company itself!).