General NAS-Central Forums

Welcome to the NAS community
It is currently Wed Dec 13, 2017 12:44 pm

All times are UTC




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: KD21 root access?
PostPosted: Thu Sep 11, 2014 2:09 am 
Offline

Joined: Thu Sep 11, 2014 1:56 am
Posts: 4
Hello,

I recently bought a KD21 and was hoping I could gain root access on it as per http://asham.ca/hardware/2013/12/gettin ... inas-kd20/ but found it does not work on the KD21 (firmware version 2.02.20140721).

I was hoping I could download the firmware, extract it and and look through it for something that might help (it downloads as a .tar.gz), but it doesn't appear to be a valid gzip file, it's probably encrypted.

Anyway, from reading the KD20 thread I saw reference to an /admin/ssh.php page off the admin url. I tried it on my KD21 and it asks for authentication, which maybe means it is possible, but I don't have the login/password. I tried root and atonnas, atonnas and atonnas as per the KD20 thread but found no love.

This NAS has real potential but the included firmware is really weak. You can't copy data from one drive to another on the KD21 without it going over your LAN, which makes setting it up a really slow task, even over gigabit, and the RAID support is really limited. ie: If you start with one drive, you can't mirror it without destroying your data. I would like to use it for more! Any advice?


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Thu Sep 11, 2014 6:47 pm 
Offline

Joined: Mon Jun 16, 2008 10:45 am
Posts: 6087
Some pointers: The tar.gz firmware file is a base64 encoded, encrypted, gzipped tarfile. It is possible to extract it, but it doesn't help. The rootfs is an ubifs image, and according to this page it's not easy to extract that.

But you can download the 'Firmware update via USB' package here. Besides the ubifs image it contains also an bzip2'ed tarball of the rootfs. (Almost 40 MB. And it's not used at all, as far as I can see).

in /usr/htdocs/admin/ssh.php you'll find chk_pw.php responsible for the login:
Code:
<?
//check password{{
if(!$_COOKIE['aton_nas_ssh']){
        if (!isset($_SERVER['PHP_AUTH_USER'])) {
    // if is null, send header to show dialog box
    header('WWW-Authenticate: Basic realm="Administrator"');
    header('http/1.0 401 Unauthorized');
    echo 'Please enter user and password';
    exit;
        } else {
               
                $pwd = $_SERVER['PHP_AUTH_PW'];
                //$realpwd = "SqwfJ0XVOC/ZE";
                $realpwd = "ASI/prMp4QNHc";
               
        if (($_SERVER['PHP_AUTH_USER'] == "atonnas") && (crypt($pwd, $realpwd)==$realpwd)) {
        //if (($_SERVER['PHP_AUTH_USER'] == "atonnas") ) {
                $cartoon_time = time() + (10*60);    // set cookie for 10 minutes
                setcookie ('aton_nas_memocom','memocom_admin', $cartoon_time);           
        } else {
                echo "Invalid user name or password <br/>";
                echo "Please reopen browser, and try it again";
                exit;
        }
        }
}       
//check password}}     
?>
So I guess the login atonnas / ASI/prMp4QNHc should work. If that doesn't work you can try to inject the cookie aton_nas_memocom=memocom_admin.


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Sat Sep 13, 2014 3:59 pm 
Offline

Joined: Thu Sep 11, 2014 1:56 am
Posts: 4
Thanks for your help Mijzelf. Cookie injection does seem to be the right track.

i injected a cookie with contents:

aton_nas_ssh=//cookies ????????; path=/; domain=(ip of KD21)

Now after injecting when I go to (ip of NAS)/admin/ssh.php I have a menu option that says, "SSH Open now", a check box with SSH in it and a Save button. Anyway, this starts sshd on the KD21! I can putty in and get a response but I still don't know the login/password.

I'm not sure but if the RSA key is not unique maybe I can import it from the firmware into Putty.

What's interesting is that the cookie contents were only question marks. My text editor didn't support reading the Asian language and substituted question marks for it. It looks like it will accept question marks instead of the actual string. LOL!


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Thu Sep 18, 2014 10:03 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
Hi DickCheese,

I'm very curious to know if you managed to work around the user/pass issue log-in via SSH. I just purchased a KD21 and was very disappointed to learn that SSH access was not turned on. I never even considered researching this particular "feature".

Anyway, I'd very much like to unlock this, so if you've come up with a solution I would very much appreciate it if you could share it with us.

Thanks!


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Fri Sep 19, 2014 3:50 am 
Offline

Joined: Thu Sep 11, 2014 1:56 am
Posts: 4
I haven't been able to get further than simply enabling SSH so far. Anyway, if you want to enable it yourself download Firebug for Firefox. Go to your NAS IP, start Firebug and create a new cookie with the below contents. For Host, put the IP address of your KD21, not #.#.#.#

Name: aton_nas_ssh
Host: #.#.#.#
Path: /
Session: (ticked)
Value: //cookies ????????

After you have done this you should be able to access the /admin page of your KD21 to enable SSH and poke around at some other things.


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Fri Sep 19, 2014 11:56 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
Thanks!
I guess based on Mijzelf's post we know the login username is "atonnas", at least for this admin page.
Let us know if you figure out the SSH user/pass somehow.

Cheers!


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Mon Sep 22, 2014 10:35 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
I filed a support ticket with Shuttle a while back with the faint hope that they might consider opening SSH in their future FW updates. They went one step further and released the entire source code! If anyone is interested it can be downloaded here:
http://us.shuttle.com/download/KD21_KD22OpenSource.zip

Their support agent also told me they're working on "opening SSH".

I haven't had a chance to look at the FW yet (and I'm no expert). Hopefully this will open up the box to more possibilities.


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Tue Sep 23, 2014 6:13 am 
Offline

Joined: Thu Sep 11, 2014 1:56 am
Posts: 4
I've got root!

I can't take any real credit for it, I relied heavily on comments I read on asham.ca for the KD20, but it works!

It requires: A Linux box or Macintosh
A folder made and a user added with full permissions to it on the KD21 through its web interface.

Start SSH on the kd21 by going to <nas ip>/admin/ with a web browser and log in with the username atonnas and password backdoor when it asks you to authenticate. Click on the ssh link in the left pane and enable SSH on the pane that appears on the right.

Linux/Macintosh: Start a Terminal session and make a sym link to /
eg: ln -s / ./beer

My example will make a sym link named beer in your current folder that will navigate to the root filesystem.

Connect to the share via smb or afp from Linux/Mac with the user you made, navigate to your folder and copy the sym link (in my case, beer) into your folder.

Go to your KD21 via web url, <nas ip>/filesystem/index.php

This will start AjaXplorer.

Authenticate with the user and password you made, and select the folder you made via the dropdown menu. Go into the sym link you made (beer in my case). You are now in the root (/) filesystem!

Upload a php backdoor to /usr/htdocs/admin. I used php-backdoor.php which I found at http://users.freenet.am/~zombie/src/backdoor.php

After uploading it to /usr/htdocs/admin, you can now navigate to this backdoor by going to <nas ip>/admin/backdoor.php in your web browser

I executed the command echo -e "beer\nbeer\n" | sudo passwd root

This changed my root password to beer and allowed me to ssh into my kd21.

From here on out, it's all yours. I have a backup of the original passwd file because I fully intend to run it through hashcat and john the ripper. :)

fezz wrote:
I filed a support ticket with Shuttle a while back with the faint hope that they might consider opening SSH in their future FW updates. They went one step further and released the entire source code! If anyone is interested it can be downloaded here:
http://us.shuttle.com/download/KD21_KD22OpenSource.zip

Their support agent also told me they're working on "opening SSH".

I haven't had a chance to look at the FW yet (and I'm no expert). Hopefully this will open up the box to more possibilities.


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Thu Sep 25, 2014 4:35 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
Well done and thanks for the instructions. Works perfectly!


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Thu Sep 25, 2014 5:04 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
Now I have to figure out how install/run OpenVPN...


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Wed Nov 19, 2014 1:22 pm 
Offline

Joined: Wed Nov 19, 2014 1:17 pm
Posts: 1
Hey nice to hear that u rooted the kd21 :)

I have the kd22 and i'm interested in rooting it to. Once I have SSH will it be possible to install pyload? What more advantages will a root offering?

At least... will it be possible to unroot the NAS like an factory reset? I ask this because of warranty issues. THX


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Tue Mar 10, 2015 12:59 pm 
Offline

Joined: Tue Mar 10, 2015 12:56 pm
Posts: 3
hey fezz did you got a toolchain and openvpn running?


Top
 Profile  
 
 Post subject: Re: KD21 root access?
PostPosted: Tue Mar 10, 2015 2:57 pm 
Offline

Joined: Thu Sep 18, 2014 9:58 pm
Posts: 6
nope, I gave up a while ago and moved on to other things :(


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group