General NAS-Central Forums

Welcome to the NAS community
It is currently Mon Oct 23, 2017 10:56 pm

All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: LaCie D2 Network
PostPosted: Mon Jun 01, 2009 4:30 pm 
Offline

Joined: Mon Jun 01, 2009 11:53 am
Posts: 7
Hi everyone,
I've been playing with my new LaCie D2 network (2.2.2), and tried to open some backdoor in order to launch a telnet session. Here is the specs of the LaCie's D2 network.

First I've opened the NAS and unplugged the hard drive. I've also made a copy of the original disk. I've put a smaller one in my new box ;) It's easy to avoid breaking the warranty seal. This is just a sticker on one of the 4 rear screws. So do not unscrew the one with the sticker and rotate the rear part to get the disk. Here is some pics I've taken :

ImageImage
ImageImage
ImageImage
ImageImage

Then I've plugged the hard drive on my computer and boot with a KNOPPIX live CD :
Here is the partition info (sorry the screen cap is in French) :
Image

Drive's content (the "troppix" folder are created by the liveCD) :
    /dev/sda2 : data
Code:
total 4
0 drwxr-xr-x 5 root root   43 2009-05-28 22:46 .
4 drwxr-xr-x 7 root root 4096 2009-06-01 14:09 ..
0 drwxr-xr-x 3 root root   16 2009-05-28 22:46 download
0 drwxr-xr-x 9 root root   93 2009-05-28 22:36 share
0 drwxr-xr-x 2 root root    6 2000-01-02 01:26 tmp


    /dev/sda9 : system :?: (659 Mib)
Code:
total 44
 4 drwxr-xr-x 6 root root  4096 2009-05-27 20:03 .
 4 drwxr-xr-x 7 root root  4096 2009-06-01 14:09 ..
 8 -rw-r--r-- 1 root root  5363 2009-06-01 16:52 edconf.xml
 4 drwxr-xr-x 4 root root  4096 2014-11-05 07:58 EDMINI
16 drwx------ 2 root root 16384 2000-01-01 01:00 lost+found
 4 drwxr-xr-x 3 root root  4096 2000-01-01 01:00 snaps
 4 drwxr-xr-x 2 root root  4096 2009-05-30 12:46 troppix


    /dev/sda8 : boot :?: (173 Mib)
Code:
total 39
 1 drwxr-xr-x 21 root root   1024 2009-05-27 20:03 .
 4 drwxr-xr-x  7 root root   4096 2009-06-01 14:09 ..
 2 drwxrwxr-x  2 root root   2048 2009-06-01 00:23 bin
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 boot
 1 drwxrwxr-x  2 root root   1024 2009-05-11 12:55 dev
 2 drwxrwxr-x 26 root root   2048 2009-06-01 14:20 etc
 1 drwxr-xr-x  2 root users  1024 2009-03-23 17:45 home
 2 drwxrwxr-x  7 root root   2048 2009-05-11 12:55 lib
12 drwx------  2 root root  12288 2009-05-11 12:54 lost+found
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 media
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 mnt
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 opt
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 proc
 1 drwxr-x---  2 root root   1024 2009-03-23 17:45 root
 2 drwxrwxr-x  2 root root   2048 2009-05-11 12:55 sbin
 1 drwxr-xr-x  2 root root   1024 2009-03-23 17:45 sys
 1 drwxrwxrwt  2 root root   1024 2009-03-23 17:45 tmp
 1 drwxr-xr-x  2 root root   1024 2009-05-30 12:46 troppix
 1 drwxrwxr-x 10 root root   1024 2009-05-11 12:55 usr
 1 drwxrwxr-x 15 root root   1024 2009-05-11 12:55 var
 1 drwxrwxr-x  7 root root   1024 2009-05-11 12:55 www


    /dev/sda7 : boot backup :?: (8 Mib)
Code:
total 35
 1 drwxr-xr-x 21 root root  1024 2009-05-27 20:03 .
 4 drwxr-xr-x  7 root root  4096 2009-06-01 14:09 ..
 1 drwxr-xr-x  2 root root  1024 2009-05-11 12:55 bin
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 boot
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 dev
 1 drwxr-xr-x  3 root root  1024 2009-05-30 13:13 etc
 1 drwxr-xr-x  3 root root  1024 2009-05-11 12:55 home
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 include
 1 drwxr-xr-x  4 root root  1024 2009-05-11 12:55 lib
12 drwx------  2 root root 12288 2009-05-11 12:55 lost+found
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 mnt
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 opt
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 proc
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 root
 1 drwxr-xr-x  2 root root  1024 2009-05-11 12:55 sbin
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 snapshots
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 sys
 1 drwxr-xr-x  2 root root  1024 2009-03-23 16:54 tmp
 1 drwxr-xr-x  2 root root  1024 2009-05-30 12:46 troppix
 1 drwxr-xr-x  4 root root  1024 2009-05-11 12:55 usr
 1 drwxr-xr-x  5 root root  1024 2009-05-11 12:55 var


As far I've read on the nas-central forum this NAS looks like a fanless EDmini V2.
I've got some trouble hacking this little thing (this is my first NAS hack). First strange thing the "www/cgi-bin/admin" is now "www/cgi-bin/public".
I've put a backdoor cgi file has Jimmy explain in his blog in "www/cgi-bin/public" of the /dev/sda8 drive.

It works :
Image
but I'm surely missing something with "complex" shell commands :
Image
"cd ..", "ls -lsa", "cd /" are not understood (urlencoding ? how to do that).

So far so good I've made a copy of the "utelnetd" binary inside my www/cgi-bin/public (since I can't use complex command).
Using my backdoor I can call the telnet deamon :
http://cerise/cgi-bin/public/exploit.cgi?utelned

But when I try to telnet my D2 I can't connect. With the admin and root login, telnet directly answer "invalid user" (no password prompt), users created with the web interface let me type a password, but i've got an error and I'm kicked from telnet (error in French "Perte de connection à l'hôte" which can be translated by "connection dropped").

I've tried all this day to create a new user in the passwd and the shadow file as describe in Jimmy's blog without success.
If I modify a file in /dev/sda9/snaps/00/ect/ the file is overwritten.
I've tryed to modify the passwd and shadow file stored in /dev/sda8/etc/ but I must be missing something, this as no effects. Here is my passwd file :

Code:
root:x:0:0:root:/root:/bin/sh
new_root:x:1000:0:new_root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
operator:x:11:0:operator:/var:/bin/sh
sshd:x:22:22:sshd:/dev/null:/bin/false
nobody:x:65534:65534:Nobody:/:/bin/false
anonymous:x:65534:65534:Nobody:/:/bin/false
messagebus:x:101:101::/dev/null:/bin/false
haldaemon:x:102:102::/dev/null:/bin/false
avahi:x:103:103::/dev/null:/bin/false
admin:x:500:100:LaCie Ethernet Disk mini Admin:/home:/bin/false


and add in the shadow file :
Code:
new_root::12488:0:99999:7:::
or
Code:
new_root:<copy of my admin encrypted password>:12488:0:99999:7:::


For the moment I'm stuck here if someone's got an idea to go further I'll appreciate the effort :geek:

Thanks !
SuperPoney


Top
 Profile  
 
 Post subject: Re: LaCie D2 Network
PostPosted: Wed Jun 03, 2009 5:51 pm 
Offline

Joined: Mon Jun 01, 2009 11:53 am
Posts: 7
Finally I found a solution to hack the D2 Network and the LaCie's "XX network family".

If a moderator comes here this thread should be move in the "2big Network" sub-section of this forum since the "D2 network" bellongs to this family.

I'll post a detailled howto to hack this NAS (here of course 8-) ).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC


Who is online

Users browsing this forum: Yahoo [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group