Tuesday, 23 February 2016

Cracking the NetApp 7 mode systemshell (c-shell) part 1

This was a request from one of the reader of my blog for deep dive into 7mode.

Logging into system shell:

netapp01>
netapp01> priv set diag
Warning: These diagnostic commands are for use by NetApp
         personnel only.
netapp01*> systemshell

Data ONTAP/amd64 (netapp01) (pts/0)

login: diag
Password:
Last login: Tue Feb 23 13:17:04 from localhost


Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

netapp01% 

For some reason, the hidden diagnostic user is named diaguser but invoked as diag
When we login to the systemshell, we are into a C Shell (csh) with a user id of 1002 and a home directory of /var/home/diag. Some useful aliases for your reference:
bash-3.2# exit
netapp01% alias
h       (history 25)
j       (jobs -l)
la      (ls -a)
lf      (ls -FA)
ll      (ls -lA)

Unfortunately logging into systemshell as user diag does not provide you with root privileges.
So how do you become root? Quite easily as it turns out. The Bash shell exists at /usr/bin/bash and is owned by root. So invoking sudo bash changes your id to 0, i.e. root,. Note that no man pages are available in either of these shells.
By the way, you could also have entered sudo /bin/sh to instead use a Bourne shell, but then you would not have command completion or command history.
Here is the contents of /etc/sudoers:
netapp01%
netapp01% sudo bash
bash-3.2#
bash-3.2#

bash-3.2# cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
# Uncomment if needed to preserve environmental variables related to the
# FreeBSD pkg_* utilities.
#Defaults       env_keep += "PKG_PATH PKG_DBDIR PKG_TMPDIR TMPDIR PACKAGEROOT PACKAGESITE PKGDIR"

# Uncomment if needed to preserve environmental variables related to
# portupgrade. (portupgrade uses some of the same variables as the pkg_*
# tools so their Defaults above should be uncommented if needed too.)
#Defaults       env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF"

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL
diag    ALL=(ALL) NOPASSWD: ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL) ALL

# Same thing without a password
# %wheel        ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
bash-3.2#

Nothing special.. just that the diag user gains root privileges without entering any password. where as root user needs to enter it.
Now, where is the real password file? Turns out that it is in /var/etc.
bash-3.2# cd /var/etc/
bash-3.2# ls
bootargs                ipf6.user.rules         periodic.conf.local
dhclient-enter-hooks    localtime               php.ini
dhclient.conf           master.passwd           pwd.db
fstab                   motd                    rc.conf
group                   ndmpd.conf              resolv.conf
host.conf               newsyslog.conf          spwd.db
hosts                   nsmb.conf               ssh
httpd-custom.conf       nsswitch.conf           sysctl.conf
httpd-custom.conf.old   ntp.conf                ttys
httpd-vserver.conf      opieaccess              ttys.old
inetd.conf              passwd                  vsa_vsphere_config
ipf.user.rules          periodic.conf
bash-3.2#

And here is the content of the password file as obtained by vipw:

# $FreeBSD$
#
root:$1$9f58c0d6$NcokQbZbvosXgi2G/EQ2L.:0:0::0:0:Charlie &:/root:/usr/sbin/nolog
in
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/no
login
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp
/uucico

the complete ontap backup is stored in 
bash-3.2# cd /cfcard/
bash-3.2# ls
BOOT_SEQ        cores           env             env_bak         x86_64

the mount details:

bash-3.2# mount
/dev/md0 on / (ufs, local, read-only)
devfs on /dev (devfs, local)
/dev/ad0s2 on /cfcard (msdosfs, local)
/dev/md1.uzip on / (ufs, local, read-only, union)
/dev/md2.uzip on /platform (ufs, local, read-only)
/dev/ad3 on /sim (ufs, local, noclusterr, noclusterw)
/dev/ad1s1 on /var (ufs, local, synchronous)
procfs on /proc (procfs, local)
/dev/md3 on /tmp (ufs, local, soft-updates)
localhost:0x80000000,0xef341a80 on /mroot (spin)
clusfs on /clus (clusfs, local)

All the configuration files are stored in:
bash-3.2# cd /mroot/etc
bash-3.2# ls
.avail                  firmware                registry
.mroot.cksum            group                   registry.0
.mroot_late.cksum       hba_fw                  registry.1
.pmroot.cksum           hosts                   registry.bck
.pmroot_late.cksum      hosts.bak               registry.default
.rotate_complete        hosts.equiv             registry.lastgood
.zapi                   hosts.equiv.bak         registry.local
acpp_fw                 http                    registry.local.0
asup_content.conf       initial_varfs.tgz       registry.local.1
backups                 keymgr                  registry.local.bck
cifs_homedir.cfg        lang                    rmtab
cifs_nbalias.cfg        lclgroups.bak           serialnum
cifsconfig_setup.cfg    lclgroups.cfg           services
cifsconfig_share.cfg    log                     shelf_fw
cifssec.cfg             man                     sldiag
clihelp                 messages                sm
cluster_config          messages.0              snmppersist.conf
configs                 mib                     sshd
crash                   mlnx                    stats
dgateways               mlog                    sysconfigtab
dgateways.bak           netapp_filer.dtd        syslog.conf.sample
disk_fw                 nsswitch.conf           tape_config
entropy                 nsswitch.conf.bak       usermap.cfg
entropy-file            oldvarfs.tgz            varfs.tgz
exports                 ontapAuditE.dll         vfiler
exports.bak             passwd                  vserver_4294967295
exports.old             quotas                  www
exports_arc             raid                    zoneinfo
filersid.cfg            rc
bash-3.2#
bash-3.2#
bash-3.2#

Will continue will lot more stuff in next part of the same blog, till then stay tuned.. Don't forget to share it.. 

2 comments:

  1. Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download Now

    >>>>> Download Full

    Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download LINK

    >>>>> Download Now

    Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download Full

    >>>>> Download LINK bY

    ReplyDelete
  2. It's essential to note that such activities are illegal and unethical, and can lead to severe consequences.
    Why Games Bad It's important to always use technology responsibly and within legal boundaries.

    ReplyDelete

Featured post

Netapp monitoring solution from scratch

I created a netapp monitoring solution on a UNIX machine... and have uploaded the static files to a free php server for so that you under...