KD21 root access?

Post Reply
DickCheese
Posts: 4
Joined: Thu Sep 11, 2014 1:56 am

KD21 root access?

Post by DickCheese » Thu Sep 11, 2014 2:09 am

Hello,

I recently bought a KD21 and was hoping I could gain root access on it as per http://asham.ca/hardware/2013/12/gettin ... inas-kd20/ but found it does not work on the KD21 (firmware version 2.02.20140721).

I was hoping I could download the firmware, extract it and and look through it for something that might help (it downloads as a .tar.gz), but it doesn't appear to be a valid gzip file, it's probably encrypted.

Anyway, from reading the KD20 thread I saw reference to an /admin/ssh.php page off the admin url. I tried it on my KD21 and it asks for authentication, which maybe means it is possible, but I don't have the login/password. I tried root and atonnas, atonnas and atonnas as per the KD20 thread but found no love.

This NAS has real potential but the included firmware is really weak. You can't copy data from one drive to another on the KD21 without it going over your LAN, which makes setting it up a really slow task, even over gigabit, and the RAID support is really limited. ie: If you start with one drive, you can't mirror it without destroying your data. I would like to use it for more! Any advice?

Mijzelf
Posts: 6208
Joined: Mon Jun 16, 2008 10:45 am

Re: KD21 root access?

Post by Mijzelf » Thu Sep 11, 2014 6:47 pm

Some pointers: The tar.gz firmware file is a base64 encoded, encrypted, gzipped tarfile. It is possible to extract it, but it doesn't help. The rootfs is an ubifs image, and according to this page it's not easy to extract that.

But you can download the 'Firmware update via USB' package here. Besides the ubifs image it contains also an bzip2'ed tarball of the rootfs. (Almost 40 MB. And it's not used at all, as far as I can see).

in /usr/htdocs/admin/ssh.php you'll find chk_pw.php responsible for the login:

Code: Select all

<?
//check password{{
if(!$_COOKIE['aton_nas_ssh']){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
    // if is null, send header to show dialog box 
    header('WWW-Authenticate: Basic realm="Administrator"');
    header('http/1.0 401 Unauthorized');
    echo 'Please enter user and password';
    exit;
        } else {
                
                $pwd = $_SERVER['PHP_AUTH_PW'];
                //$realpwd = "SqwfJ0XVOC/ZE";
                $realpwd = "ASI/prMp4QNHc";
                
        if (($_SERVER['PHP_AUTH_USER'] == "atonnas") && (crypt($pwd, $realpwd)==$realpwd)) {
        //if (($_SERVER['PHP_AUTH_USER'] == "atonnas") ) {
                $cartoon_time = time() + (10*60);    // set cookie for 10 minutes
                setcookie ('aton_nas_memocom','memocom_admin', $cartoon_time);           
        } else {
                echo "Invalid user name or password <br/>";
                echo "Please reopen browser, and try it again";
                exit;
        }
        } 
}       
//check password}}      
?>
So I guess the login atonnas / ASI/prMp4QNHc should work. If that doesn't work you can try to inject the cookie aton_nas_memocom=memocom_admin.

DickCheese
Posts: 4
Joined: Thu Sep 11, 2014 1:56 am

Re: KD21 root access?

Post by DickCheese » Sat Sep 13, 2014 3:59 pm

Thanks for your help Mijzelf. Cookie injection does seem to be the right track.

i injected a cookie with contents:

aton_nas_ssh=//cookies ????????; path=/; domain=(ip of KD21)

Now after injecting when I go to (ip of NAS)/admin/ssh.php I have a menu option that says, "SSH Open now", a check box with SSH in it and a Save button. Anyway, this starts sshd on the KD21! I can putty in and get a response but I still don't know the login/password.

I'm not sure but if the RSA key is not unique maybe I can import it from the firmware into Putty.

What's interesting is that the cookie contents were only question marks. My text editor didn't support reading the Asian language and substituted question marks for it. It looks like it will accept question marks instead of the actual string. LOL!

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Thu Sep 18, 2014 10:03 pm

Hi DickCheese,

I'm very curious to know if you managed to work around the user/pass issue log-in via SSH. I just purchased a KD21 and was very disappointed to learn that SSH access was not turned on. I never even considered researching this particular "feature".

Anyway, I'd very much like to unlock this, so if you've come up with a solution I would very much appreciate it if you could share it with us.

Thanks!

DickCheese
Posts: 4
Joined: Thu Sep 11, 2014 1:56 am

Re: KD21 root access?

Post by DickCheese » Fri Sep 19, 2014 3:50 am

I haven't been able to get further than simply enabling SSH so far. Anyway, if you want to enable it yourself download Firebug for Firefox. Go to your NAS IP, start Firebug and create a new cookie with the below contents. For Host, put the IP address of your KD21, not #.#.#.#

Name: aton_nas_ssh
Host: #.#.#.#
Path: /
Session: (ticked)
Value: //cookies ????????

After you have done this you should be able to access the /admin page of your KD21 to enable SSH and poke around at some other things.

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Fri Sep 19, 2014 11:56 pm

Thanks!
I guess based on Mijzelf's post we know the login username is "atonnas", at least for this admin page.
Let us know if you figure out the SSH user/pass somehow.

Cheers!

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Mon Sep 22, 2014 10:35 pm

I filed a support ticket with Shuttle a while back with the faint hope that they might consider opening SSH in their future FW updates. They went one step further and released the entire source code! If anyone is interested it can be downloaded here:
http://us.shuttle.com/download/KD21_KD22OpenSource.zip

Their support agent also told me they're working on "opening SSH".

I haven't had a chance to look at the FW yet (and I'm no expert). Hopefully this will open up the box to more possibilities.

DickCheese
Posts: 4
Joined: Thu Sep 11, 2014 1:56 am

Re: KD21 root access?

Post by DickCheese » Tue Sep 23, 2014 6:13 am

I've got root!

I can't take any real credit for it, I relied heavily on comments I read on asham.ca for the KD20, but it works!

It requires: A Linux box or Macintosh
A folder made and a user added with full permissions to it on the KD21 through its web interface.

Start SSH on the kd21 by going to <nas ip>/admin/ with a web browser and log in with the username atonnas and password backdoor when it asks you to authenticate. Click on the ssh link in the left pane and enable SSH on the pane that appears on the right.

Linux/Macintosh: Start a Terminal session and make a sym link to /
eg: ln -s / ./beer

My example will make a sym link named beer in your current folder that will navigate to the root filesystem.

Connect to the share via smb or afp from Linux/Mac with the user you made, navigate to your folder and copy the sym link (in my case, beer) into your folder.

Go to your KD21 via web url, <nas ip>/filesystem/index.php

This will start AjaXplorer.

Authenticate with the user and password you made, and select the folder you made via the dropdown menu. Go into the sym link you made (beer in my case). You are now in the root (/) filesystem!

Upload a php backdoor to /usr/htdocs/admin. I used php-backdoor.php which I found at http://users.freenet.am/~zombie/src/backdoor.php

After uploading it to /usr/htdocs/admin, you can now navigate to this backdoor by going to <nas ip>/admin/backdoor.php in your web browser

I executed the command echo -e "beer\nbeer\n" | sudo passwd root

This changed my root password to beer and allowed me to ssh into my kd21.

From here on out, it's all yours. I have a backup of the original passwd file because I fully intend to run it through hashcat and john the ripper. :)
fezz wrote:I filed a support ticket with Shuttle a while back with the faint hope that they might consider opening SSH in their future FW updates. They went one step further and released the entire source code! If anyone is interested it can be downloaded here:
http://us.shuttle.com/download/KD21_KD22OpenSource.zip

Their support agent also told me they're working on "opening SSH".

I haven't had a chance to look at the FW yet (and I'm no expert). Hopefully this will open up the box to more possibilities.

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Thu Sep 25, 2014 4:35 pm

Well done and thanks for the instructions. Works perfectly!

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Thu Sep 25, 2014 5:04 pm

Now I have to figure out how install/run OpenVPN...

daweed
Posts: 1
Joined: Wed Nov 19, 2014 1:17 pm

Re: KD21 root access?

Post by daweed » Wed Nov 19, 2014 1:22 pm

Hey nice to hear that u rooted the kd21 :)

I have the kd22 and i'm interested in rooting it to. Once I have SSH will it be possible to install pyload? What more advantages will a root offering?

At least... will it be possible to unroot the NAS like an factory reset? I ask this because of warranty issues. THX

hyphen
Posts: 3
Joined: Tue Mar 10, 2015 12:56 pm

Re: KD21 root access?

Post by hyphen » Tue Mar 10, 2015 12:59 pm

hey fezz did you got a toolchain and openvpn running?

fezz
Posts: 6
Joined: Thu Sep 18, 2014 9:58 pm

Re: KD21 root access?

Post by fezz » Tue Mar 10, 2015 2:57 pm

nope, I gave up a while ago and moved on to other things :(

Post Reply