Logging into system shell:
netapp01>
netapp01> priv set diag
Warning: These diagnostic commands are for use by NetApp
personnel only.
netapp01*> systemshell
Data ONTAP/amd64 (netapp01) (pts/0)
login: diag
Password:
Last login: Tue Feb 23 13:17:04 from localhost
Warning: The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly. Use this environment
only when directed to do so by support personnel.
netapp01%
For some reason, the hidden diagnostic user is named diaguser but invoked as diag
When we login to the systemshell, we are into a C Shell (csh) with a user id of 1002 and a home directory of /var/home/diag. Some useful aliases for your reference:
bash-3.2# exit
netapp01% alias
h (history 25)
j (jobs -l)
la (ls -a)
lf (ls -FA)
ll (ls -lA)
Unfortunately logging into systemshell as user diag does not provide you with root privileges.
So how do you become root? Quite easily as it turns out. The Bash shell exists at /usr/bin/bash and is owned by root. So invoking sudo bash changes your id to 0, i.e. root,. Note that no man pages are available in either of these shells.
By the way, you could also have entered sudo /bin/sh to instead use a Bourne shell, but then you would not have command completion or command history.
Here is the contents of /etc/sudoers:
netapp01%
netapp01% sudo bash
bash-3.2#
bash-3.2#
bash-3.2# cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Uncomment if needed to preserve environmental variables related to the
# FreeBSD pkg_* utilities.
#Defaults env_keep += "PKG_PATH PKG_DBDIR PKG_TMPDIR TMPDIR PACKAGEROOT PACKAGESITE PKGDIR"
# Uncomment if needed to preserve environmental variables related to
# portupgrade. (portupgrade uses some of the same variables as the pkg_*
# tools so their Defaults above should be uncommented if needed too.)
#Defaults env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF"
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
diag ALL=(ALL) NOPASSWD: ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
bash-3.2#
Nothing special.. just that the diag user gains root privileges without entering any password. where as root user needs to enter it.
Now, where is the real password file? Turns out that it is in /var/etc.
bash-3.2# cd /var/etc/
bash-3.2# ls
bootargs ipf6.user.rules periodic.conf.local
dhclient-enter-hooks localtime php.ini
dhclient.conf master.passwd pwd.db
fstab motd rc.conf
group ndmpd.conf resolv.conf
host.conf newsyslog.conf spwd.db
hosts nsmb.conf ssh
httpd-custom.conf nsswitch.conf sysctl.conf
httpd-custom.conf.old ntp.conf ttys
httpd-vserver.conf opieaccess ttys.old
inetd.conf passwd vsa_vsphere_config
ipf.user.rules periodic.conf
bash-3.2#
And here is the content of the password file as obtained by vipw:
# $FreeBSD$
#
root:$1$9f58c0d6$NcokQbZbvosXgi2G/EQ2L.:0:0::0:0:Charlie &:/root:/usr/sbin/nolog
in
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/no
login
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp
/uucico
the complete ontap backup is stored in
bash-3.2# cd /cfcard/
bash-3.2# ls
BOOT_SEQ cores env env_bak x86_64
the mount details:
bash-3.2# mount
/dev/md0 on / (ufs, local, read-only)
devfs on /dev (devfs, local)
/dev/ad0s2 on /cfcard (msdosfs, local)
/dev/md1.uzip on / (ufs, local, read-only, union)
/dev/md2.uzip on /platform (ufs, local, read-only)
/dev/ad3 on /sim (ufs, local, noclusterr, noclusterw)
/dev/ad1s1 on /var (ufs, local, synchronous)
procfs on /proc (procfs, local)
/dev/md3 on /tmp (ufs, local, soft-updates)
localhost:0x80000000,0xef341a80 on /mroot (spin)
clusfs on /clus (clusfs, local)
All the configuration files are stored in:
bash-3.2# cd /mroot/etc
bash-3.2# ls
.avail firmware registry
.mroot.cksum group registry.0
.mroot_late.cksum hba_fw registry.1
.pmroot.cksum hosts registry.bck
.pmroot_late.cksum hosts.bak registry.default
.rotate_complete hosts.equiv registry.lastgood
.zapi hosts.equiv.bak registry.local
acpp_fw http registry.local.0
asup_content.conf initial_varfs.tgz registry.local.1
backups keymgr registry.local.bck
cifs_homedir.cfg lang rmtab
cifs_nbalias.cfg lclgroups.bak serialnum
cifsconfig_setup.cfg lclgroups.cfg services
cifsconfig_share.cfg log shelf_fw
cifssec.cfg man sldiag
clihelp messages sm
cluster_config messages.0 snmppersist.conf
configs mib sshd
crash mlnx stats
dgateways mlog sysconfigtab
dgateways.bak netapp_filer.dtd syslog.conf.sample
disk_fw nsswitch.conf tape_config
entropy nsswitch.conf.bak usermap.cfg
entropy-file oldvarfs.tgz varfs.tgz
exports ontapAuditE.dll vfiler
exports.bak passwd vserver_4294967295
exports.old quotas www
exports_arc raid zoneinfo
filersid.cfg rc
bash-3.2#
bash-3.2#
bash-3.2#
Will continue will lot more stuff in next part of the same blog, till then stay tuned.. Don't forget to share it..
Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download Now
ReplyDelete>>>>> Download Full
Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download LINK
>>>>> Download Now
Netapp Guide: Cracking The Netapp 7 Mode Systemshell (C-Shell) Part 1 >>>>> Download Full
>>>>> Download LINK bY
It's essential to note that such activities are illegal and unethical, and can lead to severe consequences.
ReplyDeleteWhy Games Bad It's important to always use technology responsibly and within legal boundaries.