How a Security Engineer Hacked a Singapore Hotel Wi‑Fi Server and Got Fined $5,000

A 23‑year‑old Tencent security engineer, Zheng Dutao, attended a Capture‑the‑Flag event in Singapore and decided to test the Wi‑Fi infrastructure of a Fragrance Hotel branch. Using publicly available default credentials (telnet: console/admin, FTP: ftponly/antlabs), he accessed the hotel’s authentication server.

1. Backdoor Accounts

After logging in, Zheng discovered a restricted shell with typical Linux commands and additional utilities like sshtun, usage_log, and vlandump. Netstat revealed a MySQL instance listening only on 127.0.0.1 and an SSH service on port 6000.

He set up SSH port forwarding to expose the local MySQL port (3306) to his laptop, allowing remote connection attempts.

2. Sandbox Escape

Examining the custom shell, Zheng identified potential command‑injection points. By exploiting a vulnerability in the vlandump script, he escaped the sandbox, though he remained chrooted. Inside the chroot, he located the MySQL root password in /etc and used it to log into the database.

3. File Read

With MySQL root access, Zheng attempted to read system files. While LOAD_FILE could not read /etc/httpd/conf.d/httpd.conf, he discovered a running PHP service on port 1001 that loaded an IonCube‑encrypted script. After decoding, he obtained additional code snippets.

4. Limited RCE

The PHP script contained a function logSyslog($msg) that executed exec('/usr/bin/logger …') with the user‑supplied $msg. By injecting backticks, Zheng achieved command execution, but only 14 bytes of controllable input were available, leaving a tight constraint.

function logSyslog($msg) {
    exec('/usr/bin/logger -p lpr.info -t Acc_Printer -- "Printer ' . $ip . ' ' . $buffer . ' ' . $msg . '"', $out, $ret);
    return $ret == 0;
}

He crafted a Python script using the zio library to send payloads to the vulnerable service:

import zio, sys
io = zio.zio(('192.168.10.2', 1001))
io.write('(`%s`)' % sys.argv[1])

The service logged command output to log/acc/acc.log, providing a covert channel.

5. Unlimited RCE

Leveraging MySQL’s ability to write files, Zheng wrote a small shell script to /tmp/a and executed it via bash /tmp/a, expanding the limited 11‑byte payload into full remote code execution.

6. DirtyCOW Privilege Escalation

The underlying server ran an outdated CentOS 4 kernel, vulnerable to the DirtyCOW exploit, allowing Zheng to obtain root privileges without further effort.

After publishing his findings in a blog post titled “Exploit Singapore Hotels: ezxcess.antlabs.com,” the Singapore Cyber Security Agency (CSA) alerted the hotel. Zheng was charged with unauthorized access and password disclosure. On September 24, the Singapore High Court fined him US$5,000, noting no actual damage but emphasizing the risk of exposing credentials.

Legal commentary highlighted that publishing admin passwords could enable further attacks on other hotels using the same AntLabs IG3100 system, and the fine serves as a deterrent against unauthorized penetration testing.