-
Notifications
You must be signed in to change notification settings - Fork 3
/
StartingNotes.txt
182 lines (175 loc) · 9.2 KB
/
StartingNotes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
Xyzel NAS 326:
- default password is: admin, 1234
- Could scan to see how often this is changed?
- For some reason, the findme did not work? Had to use the guide here: https://support.zyxel.eu/hc/en-us/articles/360006213873-First-Step-Guide-for-Zyxel-NAS
- The server runs on a 'Linux NAS326 3.10.39 #1 Thu Nov 10 14:18:33 CST 2016 armv7l GNU/Linux'
- /etc/zyxel:Where most secrets live...
- Configuration files for services and storage info, including databases and other things.
- /etc/zyxel/storage/sysvol/ stores the files, photos and things.
- ssh/:
- Has public and private keys to view and do things! I wonder what these keys are used for/if they are hardcoded (?)
- /i-data/.system/rsyncd.secrets:
- admin:MTIzNDU=
- The password is stored in plaintext, but only base64 encoded... *
- /bin: Interesting binaries:
- nsa400getconfig.sh
- scriptreplay
- script
- recover_zysh.sh:
- A shell script to fix up the zysh interface.
- upgrade_firmware.sh
- zyfw_downloader
- zysh:
The zy shell object. Used all over the place!
But, in the current version of the firmware, it got removed...
- Command:
- wget, curl
- python
- grep, psgrep, ps
- read-only file system:
- Is there a way to bypass this?
- ASLR is turned on...
- MAC:
- 8c:59:73:15:74:3e
- Serial:
- S180Y04059599
Website Architexture:
- Uses ftp://ftp2.zyxel.com/NAS326/ for updates to firmware and packages.
- Uses python and apache.
- Go to /ram_bin/usr/local/apache/ to find everything.
- At this level there are several things:
- cgi-bin: command gateway interface (which are binaries at the moment)
- These look like they are C compiled binaries... Likely not getting these back, unless we feel like reverse engineering these.
- htdocs: Where the desktop and playzone directories with HTML are stored
- modules: Some sort of binary file...Not entirely sure what these are!
- web_framework: The location for all of the python logic, scripts and views. The files are in the .pyc form.
- https://pypi.org/project/uncompyle6/
- These files are all possible to decompile!
- index.html and login.html are stored in /ram_bin/usr/local/apache/htdocs/desktop
- After the vulnerability found by ISE, they COMPLETELY TOOK OUT THE zyshclient! That's right; completely removed it! Then, they wrote python based cgi's to make up for it.
- In main_wsgi.py:
- I think the URL called depends on the function called for the API..
- For instance, 'tjp6jp6y4' in the REST format would call this particular function. Then, it redirects to 'tjp6jp6y4_to_wsgi_server/%s/%s' to call the controller in the proper way.
- More information in the fileye folder that deals with ftp, youtube and more.
- For whatever reason, the two main API's work in the same way (tjp6jp6y4, ck6fup6). Only tjp6jp6y4 sends back useful debugging information. So, use this api when fuzzing.
NAS website:
- Uses cherrpy as the web framework of choice, with a combination of Jquery for dynamic webpages.
- Two main portals:
- desktop,
- playzone,
The playzone is the more feature rich of the two.
- Also connections at ports 5002 and 5003. These are for allowing shared folder remotely with WebDav.
- There is a value in the URL that is dynamically generated upon each login. This is known as the 'DYNAMIC_STRING' within code. I believe that this is the firmware value currently running.
- Uses WSGI to deploy the app:
- https://www.digitalocean.com/community/tutorials/how-to-deploy-python-wsgi-applications-using-a-cherrypy-web-server-behind-nginx#serving-python-web-applications-with-cherrypy-web-server
- Functionality:
- Storage manager:
- View and edit disk groups, hard disk info and volume info
- ISCI: Storage area network protocol. Clients can connect to the target to access the volume. as a locally accessible drive.
- External storage info.
- Control Panel:
- Deal with users, groups and shared folders.
- Including the editing, viewing and adding of users.
- TCP/IP:
- Enable HTTPS, DNS servers, network diagnosis with ping (?)
- Upnp: Port mapping and setup.
- Enable SSH and telnet services.
- Enabling dynamic DNS
- Server information, date/time changing and firmware upgrade.
- FTP server settings
- Web publishing options?
- Print server
- Sys logs
- Power, backups, factory reset, logs (? XSS)
- Status center:
- Shows basic system information and network info
- App center:
- Has a place to browse and use apps for the services.
-dropbox, googledrive, memopal, NF, nzbget, PHPmyadmin, logitech, tftp, transmission, wordpress, gallery, myZyXELcloud-agent,own cloud, pyLoad.
- Download service: ???
- Upload manager:
- Upload items to Flickr or youtube.
- HTTP to get token?
- FTP Uploader too.
- Backup Planner:
- Allow file systems or something to be copied?
- Can do this on a timed basis.
- Sync and copy button
- Time machine
- Help:
- Has very,very,very extensive doc pages!
- File Browser (playzone)
- Add, edit, remove, compress, uncompress files.
- Photos (playzone):
- Displays all photos that the user can see.
- Has search capabilites! Where to find a XSS platform to attack? Source code?
- Music/video:
- Area to store music and video.
- myZyXELcloud:
- The way to view the service on the internet.
- maxwell-5.zyxel.me is the way to externally connect to the machine.
- Connectable on port 8000
- 73.59.30.69 is the IP
- Video turorial: Redirects to youtube list.
- Knowledge base:
- Redirects to forums
- Twonky:
- Redirects to port 9001 where the media and file transfer is at.
- The web pages for this are in /ram_bin/usr/local/dmsf/binary
- The rpc interface comes from the twonkyserver file
- It has a strange combination of Python and Javascript, Jquery involved with it:
- How does this work, exactly?
- Auth:
- Flow:
- The uam_update_callback is a function that is a middleware for the authentication. On update_callback an auth request is made before all of the other actions happen. This function can be found in the tools_cherrypy function.
- First, it grabs the IP address and the auth token
- Then, c_int_exec is called. Which directs us to tools.py
- Within tools.py we know that the updateUamInfo request is coming.
- This function then calls the utilities.so file (using ctypes) to call updateUamInfo within the .so file.
- uam: universal authentication manager.
- dispatch_int is the function being called with the updateUamInfo, ip address and auth token being passed in as a parameter.
- Remounting:
https://askubuntu.com/questions/754091/what-is-the-difference-between-etc-fstab-and-etc-mtab
- fstab:
- http://www.linfo.org/etc_fstab.html
- 1) Physical location of each filesystem
- 2) Mount point. The directory in the filesystem listed on that line that attached to the root (/) file system.
3) The file system type. ext2 is the most common (which is what the root OS is)
4) defaults are rw, suid, dev, exec, and nouser. So, what does this mean? The code section is read-only, not the OS is not?
- cat /proc/mounts or etc/mtab:
- This shows that these sections on the mounts are read-only with the 'ro'. How to change this?
- Differences:
- fstab contains lines describing what devices are moutned, using what options.
- mtab has the CURRENT mount information.
- Current mount information...
/proc /proc proc rw 0 0
/sys /sys sysfs rw 0 0
devpts /dev/pts devpts rw 0 0
ubi6:ubi_rootfs2 /firmware/mnt/nand ubifs ro 0 0
/dev/md0 /firmware/mnt/sysdisk ext4 ro 0 0
/dev/loop0 /ram_bin ext2 ro 0 0
/ram_bin/usr /usr none ro,bind 0 0
/ram_bin/lib/security /lib/security none ro,bind 0 0
/ram_bin/lib/modules /lib/modules none ro,bind 0 0
/ram_bin/lib/locale /lib/locale none ro,bind 0 0
/dev/ram0 /tmp/tmpfs tmpfs rw,size=5m 0 0
/tmp/tmpfs/usr_etc /usr/local/etc none rw,bind 0 0
ubi2:ubi_config /etc/zyxel ubifs rw 0 0
/dev/md2 /i-data/9d22a2b1 ext4 rw,noatime,usrquota,data=ordered,barrier=1 0 0
/i-data/9d22a2b1/.system/zy-pkgs/pkggui /usr/local/apache/htdocs/desktop,/pkg none rw,bind 0 0
configfs /sys/kernel/config configfs rw 0 0
none /proc proc rw 0 0
none /sys sysfs rw 0 0
none /dev/pts devpts rw 0 0
- init system can change the mounting settings
- Ran ps to find the first process that runs. Saw that init was the first thing that ran.
- init is just a bash script. So, we looked through this.
- Within init, the mounts we were looking for were not on the device. So, we saw that linuxrc runs /etc/init.d/rcS.
- Within this script, there is
`${MOUNT} -t ext2 -o loop,ro ${DISK_PATH}/sysdisk.img ${IMG_PATH}`
- If this is changed to rw, then this should mount as rw!
- /firmware/mnt/sysdisk/sysdisk.img is being mounted to the (ro,bind) type. But, if this could be remounted.
- This script must be loaded by something else... Even if you alter the file, the script is changed back. I wonder what makes the change to this file?
- The /init file is changed back to the original form if it is altered...
- Does this mean that the shutdown script is altering these files before the shutdown?
-