Взлом NanoStation M2

Начну с того, что провайдер подключил меня к сети через принимающий роутер NanoStation M2, который через lan раздает на мой домашний роутер. Я хочу зайти в админку. Брутфорс на SSH ничего не дал. Провайдер оказался хитрым, он поменял и логин, и пароль на какой-то уникальный. Остается только уязвимости, XSS, SQL - то есть то в чем я ... Маршрутизаторы у провайдера обновляютя на актуальную прошивку, старые уязвимости airos не работают. Armitage тоже ничего не дал. Куда копать, подскажите?

На роутере открыты 3 порта:
22/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0)
53/tcp open domain dnsmasq 2.47
80/tcp open http lighttpd 1.4.39

Nmap:
Code:

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-28 12:35 EET
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:35
Completed NSE at 12:35, 0.00s elapsed
Initiating NSE at 12:35
Completed NSE at 12:35, 0.00s elapsed
Initiating Ping Scan at 12:35
Scanning 192.168.10.1 [4 ports]
Completed Ping Scan at 12:35, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:35
Completed Parallel DNS resolution of 1 host. at 12:35, 0.00s elapsed
Initiating SYN Stealth Scan at 12:35
Scanning 192.168.10.1 [1000 ports]
Discovered open port 80/tcp on 192.168.10.1
Discovered open port 22/tcp on 192.168.10.1
Discovered open port 53/tcp on 192.168.10.1
Completed SYN Stealth Scan at 12:35, 1.37s elapsed (1000 total ports)
Initiating Service scan at 12:35
Scanning 3 services on 192.168.10.1
Completed Service scan at 12:36, 6.02s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.10.1
Initiating Traceroute at 12:36
Completed Traceroute at 12:36, 0.01s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:36
Completed Parallel DNS resolution of 2 hosts. at 12:36, 0.00s elapsed
NSE: Script scanning 192.168.10.1.
Initiating NSE at 12:36
Completed NSE at 12:36, 30.41s elapsed
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
Nmap scan report for 192.168.10.1
Host is up (0.0064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0)
53/tcp open domain dnsmasq 2.47
| dns-nsid:
|_ bind.version: dnsmasq-2.47
80/tcp open http lighttpd 1.4.39
|_http-favicon: Unknown favicon MD5: 6DCAB71E60F0242907940F0FCDA69EA5
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: lighttpd/1.4.39
| http-title: Error 404 - Page Not Found
|_Requested resource was /nocookies.html
Device type: WAP
Running: Linux 2.6.X, Ubiquiti embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/h:ubnt:airmax_nanostation
OS details: Ubiquiti AirMax NanoStation WAP (Linux 2.6.32)
Uptime guess: 0.932 days (since Sat Jan 27 14:13:58 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 7.22 ms OpenWrt.lan (192.168.8.1)
2 3.01 ms 192.168.10.1

NSE: Script Post-scanning.
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
Initiating NSE at 12:36
Completed NSE at 12:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.33 seconds
Raw packets sent: 1057 (47.566KB) | Rcvd: 1194 (91.582KB)​