Взлом NanoStation M2

[Bambookou]

Начну с того, что провайдер подключил меня к сети через принимающий роутер NanoStation M2, который через lan раздает на мой домашний роутер. Я хочу зайти в админку. Брутфорс на SSH ничего не дал. Провайдер оказался хитрым, он поменял и логин, и пароль на какой-то уникальный. Остается только уязвимости, XSS, SQL - то есть то в чем я ... Маршрутизаторы у провайдера обновляютя на актуальную прошивку, старые уязвимости airos не работают. Armitage тоже ничего не дал. Куда копать, подскажите?
На роутере открыты 3 порта:
22/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0)
53/tcp open domain dnsmasq 2.47
80/tcp open http lighttpd 1.4.39
Nmap:
Code:

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-28 12:35 EET

NSE: Loaded 146 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 12:35

Completed NSE at 12:35, 0.00s elapsed

Initiating NSE at 12:35

Completed NSE at 12:35, 0.00s elapsed

Initiating Ping Scan at 12:35

Scanning 192.168.10.1 [4 ports]

Completed Ping Scan at 12:35, 0.03s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 12:35

Completed Parallel DNS resolution of 1 host. at 12:35, 0.00s elapsed

Initiating SYN Stealth Scan at 12:35

Scanning 192.168.10.1 [1000 ports]

Discovered open port 80/tcp on 192.168.10.1

Discovered open port 22/tcp on 192.168.10.1

Discovered open port 53/tcp on 192.168.10.1

Completed SYN Stealth Scan at 12:35, 1.37s elapsed (1000 total ports)

Initiating Service scan at 12:35

Scanning 3 services on 192.168.10.1

Completed Service scan at 12:36, 6.02s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against 192.168.10.1

Initiating Traceroute at 12:36

Completed Traceroute at 12:36, 0.01s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 12:36

Completed Parallel DNS resolution of 2 hosts. at 12:36, 0.00s elapsed

NSE: Script scanning 192.168.10.1.

Initiating NSE at 12:36

Completed NSE at 12:36, 30.41s elapsed

Initiating NSE at 12:36

Completed NSE at 12:36, 0.00s elapsed

Nmap scan report for 192.168.10.1

Host is up (0.0064s latency).

Not shown: 997 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     Dropbear sshd 2016.74 (protocol 2.0)

53/tcp open  domain  dnsmasq 2.47

| dns-nsid: 

|_  bind.version: dnsmasq-2.47

80/tcp open  http    lighttpd 1.4.39

|_http-favicon: Unknown favicon MD5: 6DCAB71E60F0242907940F0FCDA69EA5

| http-methods: 

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: lighttpd/1.4.39

| http-title: Error 404 - Page Not Found

|_Requested resource was /nocookies.html

Device type: WAP

Running: Linux 2.6.X, Ubiquiti embedded

OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/h:ubnt:airmax_nanostation

OS details: Ubiquiti AirMax NanoStation WAP (Linux 2.6.32)

Uptime guess: 0.932 days (since Sat Jan 27 14:13:58 2018)

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=257 (Good luck!)

IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 25/tcp)

HOP RTT     ADDRESS

1   7.22 ms OpenWrt.lan (192.168.8.1)

2   3.01 ms 192.168.10.1

NSE: Script Post-scanning.

Initiating NSE at 12:36

Completed NSE at 12:36, 0.00s elapsed

Initiating NSE at 12:36

Completed NSE at 12:36, 0.00s elapsed

Read data files from: /usr/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 42.33 seconds

           Raw packets sent: 1057 (47.566KB) | Rcvd: 1194 (91.582KB)

https://2crd.cc/attachment.php?attac...1&d=1517142177