Different routers have different vulnerabilities and weaknesses, and also different architectures. If we're just talking admin panel password, then it really depends on the functionality of the admin panel and what vulnerabilities are present in the code.
For example, let's say you're looking at a router like the TRENDnet TEW-812DRU, and find that it's vulnerable to command execution through a SQL injection vulnerability, which ultimately allows an attacker to gain root privileges on the router.
From there the attacker could, for example, add false DNS entries to re-route traffic destined for Gmail, your bank, Facebook, etc to any address she'd like. By forcing you to browse her custom site she could attempt to fool you to logging into a spoofed version of one of these sites to steal your credentials or try to exploit your machine through your browser (e.g. angler exploit kit).
Since our hypothetical router is running Linux, the attacker may also be able to use something like TCP dump to start recording all of your unencrypted traffic looking for interesting information like credit card numbers, passwords, etc. Or she could make matters easier and SSL-strip/MiTM your HTTPS traffic so that it's all sent in plaintext. That would allow her to steal all of your credit card info, passwords, etc without having to worry about whether or not it's encrypted. If nothing else, she could use the router as a bridge onto your local network to attack the devices that are connected to it.
Of course this is all hypothetical, since I haven't actually rooted a router to have a look around, but I think all of this is well within the range of possibility. For example, here's this: https://securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php (the TRENDnet TEW-812DRU is specifically vulnerable to a command injection technique like this).