root のパスワードをつぶす/ telnet 有効化

LS-SL

シリアルコンソールから admin でログインできるだけではできることが限られるので、root になれるようパスワードをつぶす、併せて telnet もできるようにしておくために、 LS-SL の HDD を Debian 化した他の LinkStation でマウントする。

LS-XHL でマウント

USB で LS-XHL に接続

Jul 7 05:02:35 brick kernel: usb 1-1: new high speed USB device using ehci_marvell and address 2
Jul 7 05:02:35 brick kernel: usb 1-1: configuration #1 chosen from 1 choice
Jul 7 05:02:35 brick kernel: scsi2 : SCSI emulation for USB Mass Storage devices
Jul 7 05:02:40 brick kernel: scsi 2:0:0:0: Direct-Access ViPowER VP-89118(SD1) 2.10 PQ: 0 ANSI: 4
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: [sdb] Write Protect is off
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: [sdb] 976773168 512-byte hardware sectors (500108 MB)
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: [sdb] Write Protect is off
Jul 7 05:02:40 brick kernel: sdb: sdb1 sdb2 sdb3 sdb4 sdb5 sdb6
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: [sdb] Attached SCSI disk
Jul 7 05:02:40 brick kernel: sd 2:0:0:0: Attached scsi generic sg1 type 0

時計は狂いっ放し

/ をマウント

brick:~# mkdir /tmp/root
brick:~# mount /dev/sdb2 /tmp/root
mount: unknown filesystem type 'mdraid'
brick:~# cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev sockfs
nodev pipefs
nodev anon_inodefs
nodev futexfs
nodev tmpfs
nodev inotifyfs
nodev devpts
 ext3
 ext2
nodev ramfs
nodev nfs
nodev nfs4
 jffs2
nodev autofs
 xfs
nodev rpc_pipefs
nodev usbfs
 vfat
brick:~#

あかんか。

LS-WSGL でマウント

RAID 機の LS-WSGL に接続する。

LS-WSGL に接続

usb 1-1: new high speed USB device using ehci_platform and address 2
usb 1-1: configuration #1 chosen from 1 choice
scsi2 : SCSI emulation for USB Mass Storage devices
Nov 2 19:41:27 mini kernel: usb 1-1: new high speed USB device using ehci_platform and address 2
Nov 2 19:41:28 mini kernel: usb 1-1: configuration #1 chosen from 1 choice
Nov 2 19:41:28 mini kernel: scsi2 : SCSI emulation for USB Mass Storage devices
 Vendor: ViPowER Model: VP-89118(SD1) Rev: 2.10
 Type: Direct-Access ANSI SCSI revision: 04
SCSI device sdc: 976773168 512-byte hdwr sectors (500108 MB)
sdc: Write Protect is off
sdc: assuming drive cache: write through
SCSI device sdc: 976773168 512-byte hdwr sectors (500108 MB)
sdc: Write Protect is off
sdc: assuming drive cache: write through
 sdc: sdc1
sd 2:0:0:0: Attached scsi disk sdc
sd 2:0:0:0: Attached scsi generic sg2 type 0
Nov 2 19:41:33 mini kernel: Vendor: ViPowER Model: VP-89118(SD1) Rev: 2.10
Nov 2 19:41:33 mini kernel: Type: Direct-Access ANSI SCSI revision: 04
Nov 2 19:41:33 mini kernel: SCSI device sdc: 976773168 512-byte hdwr sectors (500108 MB)
Nov 2 19:41:33 mini kernel: sdc: Write Protect is off
Nov 2 19:41:33 mini kernel: SCSI device sdc: 976773168 512-byte hdwr sectors (500108 MB)
Nov 2 19:41:33 mini kernel: sdc: Write Protect is off
Nov 2 19:41:33 mini kernel: sdc: sdc1
Nov 2 19:41:33 mini kernel: sd 2:0:0:0: Attached scsi disk sdc
Nov 2 19:41:33 mini kernel: sd 2:0:0:0: Attached scsi generic sg2 type 0

sdc1 しか認識していない。
やっぱり LS-WSGL で GPT は無理か。

う〜ん。
うちには GPT かつ mdraid をサポートしたカーネルが動くマシンがない。

Buffalo さん、いろいろ試練を与えてくれますね。ありがとう

LS-QL でマウント

うちにある残りの RAID 機

LS-QL に接続

LS-QL は?
長い間起動していない LS-QL を起動。標準ファームが起動してきた。

USB で接続する。

usb 2-1: new high speed USB device using ehci_marvell and address 2
usb 2-1: configuration #1 chosen from 1 choice
scsi2 : SCSI emulation for USB Mass Storage devices
/sbin/hotplug [usb_endpoint]
/sbin/hotplug [scsi_host]
/sbin/hotplug [usb]
/sbin/hotplug [usb_endpoint]
/sbin/hotplug [usb_endpoint]
/sbin/hotplug [usb]
/sbin/hotplug [usb_device]
[/etc/hotplug.d/usb_device/buffalo.hotplug] usb_device
Nov 2 19:59:18 LS-QL233 kernel: usb 2-1: new high speed USB device using ehci_marvell and address 2
Nov 2 19:59:19 LS-QL233 kernel: usb 2-1: configuration #1 chosen from 1 choice
Nov 2 19:59:19 LS-QL233 kernel: scsi2 : SCSI emulation for USB Mass Storage devices
*** /usr/local/bin/DirectCopy_wait.sh [usb_device]
1 USB_DEVICE=none
2 USB_DEVICE=none
scsi 2:0:0:0: Direct-Access ViPowER VP-89118(SD1) 2.10 PQ: 0 ANSI: 4
sd 2:0:0:0: [sdc] 976773168 512-byte hardware sectors (500108 MB)
sd 2:0:0:0: [sdc] Write Protect is off
sd 2:0:0:0: [sdc] Assuming drive cache: write through
sd 2:0:0:0: [sdc] 976773168 512-byte hardware sectors (500108 MB)
sd 2:0:0:0: [sdc] Write Protect is off
sd 2:0:0:0: [sdc] Assuming drive cache: write through
 sdc:/sbin/hotplug [scsi_disk]
/sbin/hotplug [scsi]
 sdc1 sdc2 sdc3 sdc4 sdc5 sdc6
/sbin/hotplug [block]
/sbin/hotplug [block]
/sbin/hotplug [block]
/sbin/hotplug [block]
/sbin/hotplug [block]
sd 2:0:0:0: [sdc] Attached SCSI disk
/sbin/hotplug [block]
/sbin/hotplug [block]
sd 2:0:0:0: Attached scsi generic sg2 type 0
Nov 2 19:59:23 LS-QL233 kernel: scsi 2:0:0:0: Direct-Access ViPowER VP-89118(SD1) 2.10 PQ: 0 ANSI: 4
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] 976773168 512-byte hardware sectors (500108 MB)
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] Write Protect is off
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] Assuming drive cache: write through
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] 976773168 512-byte hardware sectors (500108 MB)
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] Write Protect is off
Nov 2 19:59:23 LS-QL233 kernel: sd 2:0:0:0: [sdc] Assuming drive cache: write through
Nov 2 19:59:24 LS-QL233 kernel: sdc: sdc1 sdc2 sdc3 sdc4 sdc5 sdc6
Nov 2 19:59:24 LS-QL233 kernel: sd 2:0:0:0: [sdc] Attached SCSI disk
Nov 2 19:59:24 LS-QL233 kernel: sd 2:0:0:0: Attached scsi generic sg2 type 0
/sbin/hotplug [scsi_generic]
/sbin/hotplug [scsi_device]
3 USB_DEVICE=none
4 USB_DEVICE=none
*** /usr/local/bin/DirectCopy_wait.sh [stop]
BASENAME=usbdisk2
MPT=/mnt/usbdisk2/
try vfat(usbdisk)
FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
/sbin/hotplug [module]
/sbin/hotplug [module]
GPT partition
Nov 2 19:59:32 LS-QL233 kernel: FAT: utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
minor=1 (ext3)
kjournald starting. Commit interval 5 seconds
EXT3 FS on sdc1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
## STATE_CHANGED ##
*** [/etc/hotplug.d/scsi_device/usb-buffalo.hotplug 6357] Restarting Daemons...
Nov 2 19:59:34 LS-QL233 kernel: kjournald starting. Commit interval 5 seconds
Nov 2 19:59:34 LS-QL233 kernel: EXT3 FS on sdc1, internal journal
Nov 2 19:59:34 LS-QL233 kernel: EXT3-fs: mounted filesystem with ordered data mode.
*** /usr/local/bin/DirectCopy_wait.sh []
1 USB_DEVICE=/mnt/usbdisk2
direct copy mode : ready
/sbin/hotplug [module]
/sbin/hotplug [module]
NET: Registered protocol family 5
/sbin/hotplug [module]
Nov 2 19:59:41 LS-QL233 kernel: NET: Registered protocol family 5
Nov 2 19:59:46 LS-QL233 nmbd[2477]: [2009年11月02日 19:59:46, 0] nmbd/nmbd.c:terminate(58)
Nov 2 19:59:46 LS-QL233 nmbd[2477]: Got SIGTERM: going down...

行けたか?

root@LS-QL233:~# parted -s /dev/sdc print
Model: ViPowER VP-89118(SD1) (scsi)
Disk /dev/sdc: 500GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
 1 17.4kB 1024MB 1024MB ext3 primary
 2 1024MB 6144MB 5120MB xfs primary
 3 6144MB 6144MB 512B primary
 4 6144MB 6144MB 512B primary
 5 6144MB 7168MB 1024MB linux-swap primary
 6 7168MB 492GB 485GB xfs primary
root@LS-QL233:~#

いけるやん。

だてに揃えているわけではない。

LS-QL にマウント

root@LS-QL233:~# mkdir /tmp/root
root@LS-QL233:~# mount /dev/sdc2 /tmp/root
XFS mounting filesystem sdc2
root@LS-QL233:~# ls /tmp/root
bin initrd proc usr
boot lib root var
dev lighttpd.webui sbin www
etc mnt sys
home modules tmp
root@LS-QL233:~#

root のパスワードをつぶす

root@LS-QL233:~# vi /tmp/root/etc/shadow
	:
	:
root@LS-QL233:~# grep root !$
grep root /tmp/root/etc/shadow
root::11009:0:99999:7:::
root@LS-QL233:~#

telnet 有効化

まずは、存在確認

root@LS-QL233:~# ls -l /tmp/root/usr/sbin/telnetd
lrwxrwxrwx 1 root root 17 Aug 21 10:22 /tmp/root/usr/sbin/telnetd -> ../../bin/busybox
root@LS-QL233:~#

あるある。
/etc/rcS へ追加

root@LS-QL233:~# tail /tmp/root/etc/init.d/rcS
exec_sh bootcomplete.sh
echo "** step final(after bootcomplete) **"
for cmd in hdd_late_check.sh check_initialization.sh usb_late_check.sh
do
 exec_sh ${cmd}
done
/usr/local/bin/share_delete.sh &
root@LS-QL233:~# echo>> !$
echo>> /tmp/root/etc/init.d/rcS
root@LS-QL233:~# echo /usr/sbin/telnetd>> !$
echo /usr/sbin/telnetd>> /tmp/root/etc/init.d/rcS
root@LS-QL233:~# !tail
tail /tmp/root/etc/init.d/rcS
echo "** step final(after bootcomplete) **"
for cmd in hdd_late_check.sh check_initialization.sh usb_late_check.sh
do
 exec_sh ${cmd}
done
/usr/local/bin/share_delete.sh &
/usr/sbin/telnetd
root@LS-QL233:~#

アンマウント

root@LS-QL233:~# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/md1 4993920 382048 4611872 8% /
/dev/ram1 15360 132 15228 1% /mnt/ram
/dev/md0 995928 172320 823608 17% /boot
/dev/disk1_6 148376092 66344 148309748 0% /mnt/disk1
/dev/disk2_6 148376092 612 148375480 0% /mnt/disk2
/dev/usbdisk2_1 991928 162188 829740 16% /mnt/usbdisk2
/dev/sdc2 4989696 374104 4615592 7% /mnt/ram/root
root@LS-QL233:~# umount /tmp/root/
root@LS-QL233:~# umount /mnt/usbdisk2/
root@LS-QL233:~# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/md1 4993920 382024 4611896 8% /
/dev/ram1 15360 132 15228 1% /mnt/ram
/dev/md0 995928 172320 823608 17% /boot
/dev/disk1_6 148376092 66344 148309748 0% /mnt/disk1
/dev/disk2_6 148376092 612 148375480 0% /mnt/disk2
root@LS-QL233:~#

LS-SL を起動

HDD を LS-SL に接続して起動

シリアルコンソールから root でログイン

BUFFALO INC. LinkStation series
LS-SL807 login: root
No mail.
root@LS-SL807:~#

telnet してログイン

yasunari@sil:~$ telnet 192.168.2.207
Trying 192.168.2.207...
Connected to 192.168.2.207.
Escape character is '^]'.
BUFFALO INC. LinkStation series
LS-SL807 login: root
No mail.
root@LS-SL807:~#

done!

LS-SL

楽天市場

[フレーム]

←
LS-WSGL の HDD で起動ハックの記録
LinkStation/玄箱をハックしよう →
K-OF 1日目