Cracking the NetApp 7 mode systemshell (c-shell) part 1

This was a request from one of the reader of my blog for deep dive into 7mode.

Logging into system shell:

netapp01>
netapp01> priv set diag
Warning: These diagnostic commands are for use by NetApp
         personnel only.
netapp01*> systemshell

Data ONTAP/amd64 (netapp01) (pts/0)

login: diag
Password:
Last login: Tue Feb 23 13:17:04 from localhost


Warning:  The system shell provides access to low-level
diagnostic tools that can cause irreparable damage to
the system if not used properly.  Use this environment
only when directed to do so by support personnel.

netapp01% 

For some reason, the hidden diagnostic user is named diaguser but invoked as diag

When we login to the systemshell, we are into a C Shell (csh) with a user id of 1002 and a home directory of /var/home/diag. Some useful aliases for your reference:

bash-3.2# exit

netapp01% alias

h       (history 25)

j       (jobs -l)

la      (ls -a)

lf      (ls -FA)

ll      (ls -lA)

Unfortunately logging into systemshell as user diag does not provide you with root privileges.

So how do you become root? Quite easily as it turns out. The Bash shell exists at /usr/bin/bash and is owned by root. So invoking sudo bash changes your id to 0, i.e. root,. Note that no man pages are available in either of these shells.

By the way, you could also have entered sudo /bin/sh to instead use a Bourne shell, but then you would not have command completion or command history.

Here is the contents of /etc/sudoers:

netapp01%

netapp01% sudo bash

bash-3.2#

bash-3.2#

bash-3.2# cat /etc/sudoers

# sudoers file.

#

# This file MUST be edited with the 'visudo' command as root.

# Failure to use 'visudo' may result in syntax or file permission errors

# that prevent sudo from running.

#

# See the sudoers man page for the details on how to write a sudoers file.

#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Uncomment if needed to preserve environmental variables related to the

# FreeBSD pkg_* utilities.

#Defaults       env_keep += "PKG_PATH PKG_DBDIR PKG_TMPDIR TMPDIR PACKAGEROOT PACKAGESITE PKGDIR"

# Uncomment if needed to preserve environmental variables related to

# portupgrade. (portupgrade uses some of the same variables as the pkg_*

# tools so their Defaults above should be uncommented if needed too.)

#Defaults       env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF"

# Runas alias specification

# User privilege specification

root    ALL=(ALL) ALL

diag    ALL=(ALL) NOPASSWD: ALL

# Uncomment to allow people in group wheel to run all commands

# %wheel        ALL=(ALL) ALL

# Same thing without a password

# %wheel        ALL=(ALL) NOPASSWD: ALL

# Samples

# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

# %users  localhost=/sbin/shutdown -h now

bash-3.2#

Nothing special.. just that the diag user gains root privileges without entering any password. where as root user needs to enter it.

Now, where is the real password file? Turns out that it is in /var/etc.

bash-3.2# cd /var/etc/

bash-3.2# ls

bootargs                ipf6.user.rules         periodic.conf.local

dhclient-enter-hooks    localtime               php.ini

dhclient.conf           master.passwd           pwd.db

fstab                   motd                    rc.conf

group                   ndmpd.conf              resolv.conf

host.conf               newsyslog.conf          spwd.db

hosts                   nsmb.conf               ssh

httpd-custom.conf       nsswitch.conf           sysctl.conf

httpd-custom.conf.old   ntp.conf                ttys

httpd-vserver.conf      opieaccess              ttys.old

inetd.conf              passwd                  vsa_vsphere_config

ipf.user.rules          periodic.conf

bash-3.2#

And here is the content of the password file as obtained by vipw:

# $FreeBSD$

#

root:$1$9f58c0d6$NcokQbZbvosXgi2G/EQ2L.:0:0::0:0:Charlie &:/root:/usr/sbin/nolog

in

toor:*:0:0::0:0:Bourne-again Superuser:/root:

daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin

operator:*:2:5::0:0:System &:/:/usr/sbin/nologin

bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin

tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin

kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin

games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin

news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin

man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin

sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin

smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/no

login

mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin

bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin

proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin

_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin

_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin

uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp

/uucico

the complete ontap backup is stored in 

bash-3.2# cd /cfcard/

bash-3.2# ls

BOOT_SEQ        cores           env             env_bak         x86_64

the mount details:

bash-3.2# mount

/dev/md0 on / (ufs, local, read-only)

devfs on /dev (devfs, local)

/dev/ad0s2 on /cfcard (msdosfs, local)

/dev/md1.uzip on / (ufs, local, read-only, union)

/dev/md2.uzip on /platform (ufs, local, read-only)

/dev/ad3 on /sim (ufs, local, noclusterr, noclusterw)

/dev/ad1s1 on /var (ufs, local, synchronous)

procfs on /proc (procfs, local)

/dev/md3 on /tmp (ufs, local, soft-updates)

localhost:0x80000000,0xef341a80 on /mroot (spin)

clusfs on /clus (clusfs, local)

All the configuration files are stored in:

bash-3.2# cd /mroot/etc

bash-3.2# ls

.avail                  firmware                registry

.mroot.cksum            group                   registry.0

.mroot_late.cksum       hba_fw                  registry.1

.pmroot.cksum           hosts                   registry.bck

.pmroot_late.cksum      hosts.bak               registry.default

.rotate_complete        hosts.equiv             registry.lastgood

.zapi                   hosts.equiv.bak         registry.local

acpp_fw                 http                    registry.local.0

asup_content.conf       initial_varfs.tgz       registry.local.1

backups                 keymgr                  registry.local.bck

cifs_homedir.cfg        lang                    rmtab

cifs_nbalias.cfg        lclgroups.bak           serialnum

cifsconfig_setup.cfg    lclgroups.cfg           services

cifsconfig_share.cfg    log                     shelf_fw

cifssec.cfg             man                     sldiag

clihelp                 messages                sm

cluster_config          messages.0              snmppersist.conf

configs                 mib                     sshd

crash                   mlnx                    stats

dgateways               mlog                    sysconfigtab

dgateways.bak           netapp_filer.dtd        syslog.conf.sample

disk_fw                 nsswitch.conf           tape_config

entropy                 nsswitch.conf.bak       usermap.cfg

entropy-file            oldvarfs.tgz            varfs.tgz

exports                 ontapAuditE.dll         vfiler

exports.bak             passwd                  vserver_4294967295

exports.old             quotas                  www

exports_arc             raid                    zoneinfo

filersid.cfg            rc

bash-3.2#

bash-3.2#

bash-3.2#

Will continue will lot more stuff in next part of the same blog, till then stay tuned.. Don't forget to share it..