From an external position at a café nearby the client’s office Wi-Fi, our team captured a WPA2 handshake and successfully recovered the network password within 12 hours using a custom, pre-generated dictionary attack with Hashcat.

After gaining network access, we performed internal reconnaissance through passive layer-2 monitoring and active scanning with Nmap, which led to the identification of an outdated IP camera still accessible on the internal subnet. We then obtained the camera’s official firmware image from the manufacturer and unpacked it using Binwalk for static analysis.

Inspection of the extracted binaries with a disassembler revealed multiple strings referencing HTTP paths, indicating the presence of exposed API endpoints used for device management. Further analysis identified a previously unknown vulnerability in one of these endpoints, which could be coerced into executing user-supplied input directly within a shell context, resulting in remote code execution.