Getting root on the ER7206 via SSH.
Following on from @richh 's discovery here, which worked on 605, I wanted to test it on the 7206. My first attempts failed, but I was running on current firmware (2.1.2 from memory). I downgraded to the oldest I could find which was 2.0.1 Build 20230705 Rel.75930. Now root access via SSH on a stock ER7206 works. There is also a very helpful page here that uses the same calcs linked above that may be easier.
One thing I noticed is that this is not the same shell that was seen on the 605 (showed the OpenWRT Barrier Breaker splash screen in early versions until they removed the splash in later versions). On the ER7206 it seems to be a different shell altogether. It looks like this:
login as: root
root@192.168.0.1's password:
>help
Commands available:
help Show available commands
exit Exit from current mode
enable Turn on privileged commands
disable Turn off privileged commands
>
using enable, a deeper shell is possible, however this still seems to be limited:
#help
Commands available:
help Show available commands
exit Exit from current mode
enable Turn on privileged commands
disable Turn off privileged commands
configure Enter configuration mode
show system-info Display system information.
show history Display command history.
show interface switchport Display interface switch port information.
show interface vlan Display interface VLAN information.
show arp Display ARP entry information.
show ikev1 policy Display ikev1 module entry information.
show ikev2 policy Display ikev2 module entry information.
show transform-set Display transform-set module entry information.
show crypto map Display map module entry information.
show crypto ipsec sa Display the SA information of the established IPSec.
show all ikev1 policy Display all ikev1 module entry information.
show all ikev2 policy Display all ikev2 module entry information.
show all transform-set Display all transform-set module entry information.
show all crypto map Display all map module entry information.
show ip rip Display RIP interface information.
show ip ospf Display ospf information.
show ip ospf database Display the database information of OSPF.
show ip ospf neighbor Display OSPF neighbor table information.
show ip ospf interface Display the interface information of OSPF.
show ip route static Display entry information of static IP route.
show ip http configuration Display http configuration.
show network Display OSPF network information.
show nat virtual-server Display the entry information of NAT virtual-server.
show nat one-to-one Display the entry information of one-to-one NAT.
show nat alg Display the entry information of NAT ALG.
show snmp-server Display SNMP server configuration.
show ssh configuration Display SSH configuration information.
ping Ping ip address.
tracert traceroute ip address.
clear history Clear previously run commands.
reboot Reboot device.
I had been hoping for the sort of shell access I'd got from the 605, but it seems different here. Anything useful I can do from here?