How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own

Learn tricks and techniques like these, with us, in our amazing training courses!
https://flashback.sh/training

In this video we will show you how we found and exploited a chain of vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We bagged a total of $55,000 hacking routers in this competition!

00:00 Intro
01:48 Finding debug interface
04:35 Finding the vulnerability
06:23 Vulnerability details
15:20 Exploit demo
16:33 Outro

For in-depth details, refer to our advisories:
https://www.flashback.sh/blog/lao-bom...
https://www.flashback.sh/blog/mineswe...

The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmware.
The command injection described in this video is the improved one.

The vulnerabilities exploited in this video are:
CVE-2020-10882
CVE-2020-10883
CVE-2020-10884
CVE-2020-28347

All vulnerabilities have been fixed by TP-Link in current firmware versions.

Intro material comes from the ZDI YouTube channel under CC-BY.

Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.

~ Flashback Team
https://flashback.sh
  / flashbackpwn