On Mon, Jul 18, 2011 at 10:06 PM, Dan Dubovik wrote: > Can you SSH as the hammerhead user? > No mark@orca:~/Desktop/buffalo_nas$ ssh hammerhead@xxx.xxx.xxx.xxx Password: Connection to xxx.xxx.xxx.xxx closed by remote host. Connection to xxx.xxx.xxx.xxx closed. > > When you FTP as the hammerhead user, can you move the script.php file to > the htdocs directory? It has 777 permissions, so should be able to open it > / drop a file there. > Yes, I can, and it does execute. > > If you can get a PHP file uploaded and able to execute properly, perhaps a > PHP based shell could help? I am not a php guy.....I don't know how to do this. I tried a script to allow ssh without password for anyone. It seems to have written the file, however, I still cannot ssh in as root. Note: this is my first php script; the pint statements helped me debug and see if it was working. "; $filename = '/etc/pam.d/sshd'; $fh = fopen($filename, 'w+') or die("can't open file"); $contents = fread($fh, 1000); echo "..file contents:
$contents
"; $stringData = "account required pam_unix.so\n"; $fw = fwrite($fh, $stringData); if ($fw == false) echo "...#1 no luck writing file
"; else echo "...wrote $fw bytes: '$stringData'
"; $stringData = "session required pam_unix.so\n"; $fw = fwrite($fh, $stringData); if ($fw == false) echo "...#2 no luck writing file
"; else echo "...wrote $fw bytes: '$stringData'
"; $stringData = "auth required pam_permit.so\n"; $fw = fwrite($fh, $stringData); if ($fw == false) echo "...#3 no luck writing file
"; else echo "...wrote $fw bytes: '$stringData'
"; rewind($fh); $contents = fread($fh, 1000); echo "...final file contents:
$contents
"; fclose($fh); echo "done!
"; ?> Output from the script: starting... ..file contents: ...wrote 32 bytes: 'account required pam_unix.so ' ...wrote 32 bytes: 'session required pam_unix.so ' ...wrote 28 bytes: 'auth required pam_permit.so ' ...final file contents: account required pam_unix.so session required pam_unix.so auth required pam_permit.so done! One strange behavior....when I re-run the script, I expected to see the contents of the file displayed after 'starting...' above, but it always comes back blank, and I still cannot login using ssh.... I did this: 1. restart the nas 2. run script 3. I get this ouput: mark@orca:~/Desktop/buffalo_nas$ ssh root@xxx.xxx.xxx.xxx Connection closed by xxx.xxx.xxx.xxx 4. reset nas again 5 I get this ouput: mark@orca:~/Desktop/buffalo_nas$ ssh root@xxx.xxx.xxx.xxx Password: Password: Password: Then all I get when I try to ssh in is Connection closed. Does anyone have any php scripts to hack this box and give me root access via ssh? Thanks! Mark > > -- Dan. > > On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold wrote: > >> I believe the script.php has to be moved the webroot directory and given >> permissions there I believe, but well if you can't get a login via ssh... -- >> how to do it? >> >> >> On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips < >> mark@phillipsmarketing.biz> wrote: >> >>> On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold wrote: >>> >>>> There are alot of password files and dictionary lists on various sites. >>>> Backtrack5 contains a good number. >>>> >>>> But I imagine that it's either not allowing root via ssh or you have the >>>> wrong username. >>>> >>> >>> It turns out the box is smarter than a fifth grader.....after a few hydra >>> attacks, it started rejecting all the hydra attempts to ssh in via root. >>> Once I stopped hydra (after running all night), it took a couple of hours >>> before it would respond to ssh attempts from root. It now will ask for the >>> root password, but I still have no idea what it is. >>> >>>> >>>> Or it's a truely random string. >>>> >>> It could be....the password for the zip file to unzip the file system is >>> >>> YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 >>> >>> . Someone retrieved it using a disassembler on the file system. >>> >>> I did some more reading, and one person was able to use php to allow ssh >>> login. The box allows one to create a web space, and it comes with php >>> installed. One can edit the php.ini file, and I can upload via ftp a php >>> script. The script they suggested is: >>> >> $file = '../../../../etc/pam.d/sshd'; >>> $fh=fopen($file, 'w') or die("can't open file"); >>> $stringData = "account required pam_unix.so\n"; >>> fwrite($fh, $stringData); >>> $stringData = "session required pam_unix.so\n"; >>> fwrite($fh, $stringData); >>> $stringData = "auth required pam_permit.so\n"; >>> fwrite($fh, $stringData); >>> fclose($fh); >>> ?> >>> >>> I uploaded the script, but I get a 404 File not Found when I access the >>> page. I thought it might be a file permission error since the file is only >>> rw. I tried chmod 777 at the ftp prompt, and got the error message File not >>> Found, but ls shows it is there. >>> >>> ftp> ls >>> 200 PORT command successful >>> 150 Opening ASCII mode data connection for file list >>> drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin >>> drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs >>> drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log >>> -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php >>> 226 Transfer complete >>> ftp> chmod 777 script.php >>> 550 CHMOD 777 script.php: No such file or directory >>> ftp> >>> >>> Is there anything I can change in the php.ini file to make this script >>> execute? Or, am I missing something else? >>> >>> BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. >>> >>> Thanks, >>> >>> Mark >>> >>>> >>>> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips < >>>> mark@phillipsmarketing.biz> wrote: >>>> >>>>> Since this is a drive buffalo, I might try ettercap ssh downgrade >>>>>> attack: >>>>>> >>>>>> http://openmaniak.com/ettercap_filter.php >>>>>> ttp:// >>>>>> sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade >>>>>> >>>>>> Not sure how a man in the middle attack will work, since I don't know >>>>> the password to begin with... >>>>> >>>>> Or Hydra: >>>>>> >>>>>> Hydra Instructions: >>>>>> >>>>>> http://www.youtube.com/watch?v=7CP-JB4QARo >>>>>> >>>>>>> >>>>>>>> Hydra is promising. I tried it with the common passwords list from >>>>> openwall. No luck. Do you have any better password lists? >>>>> >>>>> Thanks, >>>>> >>>>> Mark >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>>>> >>>> >>>> >>>> >>>> -- >>>> (602) 791-8002 Android >>>> (623) 239-3392 Skype >>>> (623) 688-3392 Google Voice >>>> ** >>>> HomeSmartInternational.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>>> >>> >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> (602) 791-8002 Android >> (623) 239-3392 Skype >> (623) 688-3392 Google Voice >> ** >> HomeSmartInternational.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >