Monthly Archives: October 2021


Hikvision web UI cannot change admin password

Note / Disclaimer / Caution / Warning:
We are not sure if the same commands will work on your device!
Following these instructions has some risk as not everything is well documented and could damage your device and make it unable to be repaired or used!
We are posting about our experiences as it might help someone else but we cannot guarantee positive results to other people.
We got lucky, we cannot be sure if this works for everyone...

Recently, we were performing maintenance on a Hikvision DS-KB8112-IM Vandal-Resistant Door Station. When we tried to change the password for the default administrator (called admin) we noticed that we could not edit the user. There was a bug in the list of users which was not showing the username of the admin.

That bug caused the Modify functionality to fail as well. It would leave the User Name field as blank which would trigger an error after pressing the OK button. The system complained that the User Name field is empty while it is required making the change of password to fail.

We could not figure out a way to fix it through the menus of Hikvision nor could we flash or update the device firmware, so after some search, we found the documentation of some API (which we are not sure if is actively maintained) that allowed us to get the settings of the device and update them.

Specifically, using the following command, we got the list of users on the Hikvision device:

curl -k 'https://admin:[email protected]/ISAPI/Security/users';

The GET of ISAPI/Security/users gave us the list of all users like so:

<?xml version="1.0" encoding="UTF-8" ?>
<UserList version="2.0" xmlns="http://www.isapi.org/ver20/XMLSchema">
<User version="2.0" xmlns="http://www.isapi.org/ver20/XMLSchema">
<id>1</id>
<userName>admin</userName>
<bondIpAddressList>
<bondIpAddress>
<id>1</id>
<ipAddress>0.0.0.0</ipAddress>
</bondIpAddress>
</bondIpAddressList>
<bondMacAddressList>
<bondMacAddress>
<id>1</id>
<macAddress>00:00:00:00:00:00</macAddress>
</bondMacAddress>
</bondMacAddressList>
<userLevel>Administrator</userLevel>
<attribute>
<inherent>true</inherent>
</attribute>
</User>
</UserList>

Then, for fun, we issued the command that returns the information for the admin user (that has the ID = 1):

curl -k 'https://admin:[email protected]/ISAPI/Security/users/1';
<?xml version="1.0" encoding="UTF-8" ?>
<User version="2.0" xmlns="http://www.isapi.org/ver20/XMLSchema">
<id>1</id>
<userName>admin</userName>
<userLevel>Administrator</userLevel>
<attribute>
<inherent>true</inherent>
</attribute>
</User>

Then we went for the risky part, to issue a command that would edit the settings of the device with great risk!

curl -k 'https://admin:[email protected]/ISAPI/Security/users/1' -X PUT --data-raw $'<User version="2.0" xmlns="http://www.isapi.org/ver20/XMLSchema">\n<id>1</id><userName>admin</userName><password>4321</password></User>';

The PUT command for ISAPI/Security/users/1 loaded the following XML to the device:

<User version="2.0" xmlns="http://www.isapi.org/ver20/XMLSchema">
<id>1</id>
<userName>admin</userName>
<password>4321</password>
</User>

To our pleasant surprise, it worked! After executing the above command, we were able to log in to the device using the new password. To an even more pleasant surprise, the list of users bug disappeared and we were able to use the web GUI to make changes to the administrator user!


Quick notes on optimizing a mysql/mariadb database in a docker container

First, to avoid opening the network of the container to another network, you need to open a shell to the docker container itself. To do so, use the following command:

docker exec -it website_db /bin/bash;

After executing the exec command, you will get a shell to the docker container. Use the following command to optimize all databases and their tables:

mysqlcheck -p -o --all-databases;

The -p parameter instructs the command to ask for a password (which probably and hopefully have set).

To exit the console and close the connection just type exit; after you are done with the above command.

Note: Where we used the word website_db you need to use the name of your container. If you are not sure of the name of the container, you can list all of the containers with their names using the following command:

docker container ls;

Cannot remove the ‘sticky’ option from a post

Recently, we were trying to remove the sticky flag from a post on a self-hosted installation. We were removing the sticky option both from the posts menu and the post editor and after a page refresh, it would reappear as active.

After some troubleshooting, it appeared that the problem was with the WPML plugin. After we disabled that one, we could change the option for the sticky status. Unfortunately, when we activated the plugin again, the option returned to its previous state.

The “fix” that worked was the following:

  1. We visited the WPML plugin settings page: https://example.com/wp-admin/admin.php?page=sitepress-multilingual-cms%2Fmenu%2Ftranslation-options.php
  2. Then in the category Posts and pages synchronization, we removed the tick from the option Synchronize sticky flag and the clicked the Save button.
  1. Following that, we edited our post again and removed the sticky option.
  2. Afterwards, we checked the homepage that the post had been removed and then we went back to the settings page of WPML https://example.com/wp-admin/admin.php?page=sitepress-multilingual-cms%2Fmenu%2Ftranslation-options.php
  3. From there, we enabled again the Synchronize sticky flag option, pressed the Save button to revert the change to the settings hoping the problem will be fixed eventually.

Technical Info

  • WPML Multilingual CMS version 4.2.6
  • WordPress version 5.8.1

How NOT to solve the IEEE Day Badge Challenge

Recently, we were taking the IEEE Day Badge Challenge in https://ieee-collabratec.ieee.org/. We wanted to give another go on solving the clues, so instead of following the clues to open the encrypted and password-protected PDFs, we got the clue that the password is composed only of numeric digits and we used pdfcrack to open the files!

We installed pdfcrack using the following command:

sudo apt-get install pdfcrack;
$ sudo apt-get install pdfcrack
[sudo] password for bob: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  pdfcrack
0 upgraded, 1 newly installed, 0 to remove and 28 not upgraded.
Need to get 31,0 kB of archives.
After this operation, 90,1 kB of additional disk space will be used.
Get:1 http://cy.archive.ubuntu.com/ubuntu focal/universe amd64 pdfcrack amd64 0.18-2 [31,0 kB]
Fetched 31,0 kB in 1s (40,1 kB/s)
Selecting previously unselected package pdfcrack.
(Reading database ... 452721 files and directories currently installed.)
Preparing to unpack .../pdfcrack_0.18-2_amd64.deb ...
Unpacking pdfcrack (0.18-2) ...
Setting up pdfcrack (0.18-2) ...
Processing triggers for man-db (2.9.1-1) ...

To crack the files, we used the following commands that limited the input to the numeric digits and got the password back in seconds on a normal CPU:

pdfcrack -f IEEE+Day+2021+Clue++3.pdf -c 0123456789;
bob@Linux:~$ pdfcrack -f IEEE+Day+2021+Clue++3.pdf -c 0123456789
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: 79c15a021438224ba4df58b0e7fa9a20
U: 4990feee0d63f411cf4eba3c1346ff2100000000000000000000000000000000
O: cc5e6a95577573cac6f6683d4c7f02d6605fe42e5622feb6dc36636263ba838e
found user-password: '490000'

bob@Linux:~$ pdfcrack -f IEEE+Day+2021+Clue++5.pdf -c 0123456789
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: cf72bd9b3fb24145a6d2b578fa52c0e4
U: 8cd5ea45b59168ca10674bdd81f06f5800000000000000000000000000000000
O: 70301a6ff93ac7a91c28895180e8ad57a41388d2b7f3a813b83f4b3fd5274945
Average Speed: 49297.7 w/s. Current Word: '348478'
found user-password: '1470000'

Information on the version we used is below:

$ apt info pdfcrack
Package: pdfcrack
Version: 0.18-2
Priority: optional
Section: universe/utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Joao Eriberto Mota Filho <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 90,1 kB
Depends: libc6 (>= 2.14)
Suggests: pdf-viewer
Homepage: http://pdfcrack.sf.net
Download-Size: 31,0 kB
APT-Manual-Installed: yes
APT-Sources: http://cy.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
Description: PDF files password cracker
 PDFCrack is a simple tool for recovering passwords from pdf-documents.
 .
 It should be able to handle all pdfs that uses the standard security handler
 but the pdf-parsing routines are a bit of a quick hack so you might stumble
 across some pdfs where the parser needs to be fixed to handle.
 .
 The main PDFCrack features are:
 .
   - Supports the standard security handler (revision 2, 3 and 4) on all known
     PDF-versions.
   - Supports cracking both owner and userpasswords.
   - Both wordlists and bruteforcing the password are supported.
   - Simple permutations (currently only trying first character as Upper Case).
   - Save and load a running job.
   - Simple benchmarking.
   - Optimised search for owner-password when user-password is known.
 .
 This program can be used in forensics investigations or similar activities,
 to legal password crack.