Great, now I am looking at hardware firewalls on ebay for a side project to do
-
I got an X11 generation motherboard installed with some minor chassis modification. With the ASIC card installed, the server wont post. no beeps, no vga, no anything.
Going to stop fucking around with the hardware, and start to disassemble the disk image i took,
-
$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.:aaaaaaaaaa
-
Ryan Castellucci :nonbinary_flag:replied to kajer last edited by
@kajer why is it so fabulous?
-
Ryan Castellucci :nonbinary_flag:replied to kajer last edited by
@kajer that's a password an idiot would use on their luggage
-
kajerreplied to Ryan Castellucci :nonbinary_flag: last edited by
@ryanc
// changePassword is used by Local User Databa/Users and Administrators
// its main purpose is to replace UI 'password' field with <phash>
// It assumes that UI is responsible for sending password when appropirate
// If password is not changed from UI, <password> must NOT be sent, instead
// original <phash> (if available) must be sent back
static function changePassword(&$jsonArgs) {
if ($jsonArgs) {
if (!is_array($jsonArgs)) {
$jsonArgs = Util::objectToArray($jsonArgs);
}
}
$doc = new DOMDocument();
$doc->preserveWhiteSpace = false;
$editing = is_object($jsonArgs);
$id = $jsonArgs['id'];
// <password> is not part of schema we need to trim it out of final xml data
// to do that, load data, then trim
if (!$jsonArgs['set']) {
$doc->loadXML($jsonArgs['data']);
} else {
// new record: Add wrapper <entry> data..</entry> for loading DOMDocument
$doc->loadXML('<entry>' . $jsonArgs['data'] . '</entry>');
}$domData = $doc->documentElement;
$password = $doc->getElementsByTagName('password')->item(0);
$passChange = false;
$passwordValue = '';
// Debug::log("Raw data " . __LINE__ . ' ' . $jsonArgs['data']);if ($password) {
$foundPhash = false;
$passwordValue = $password->nodeValue;
// NOTE: this routine expecting phash is always sent for password change
$phash = $doc->getElementsByTagName('phash')->item(0);
// hash new password
$template = $jsonArgs['template'];
$tplPart = isset($template) ? "<templatename>$template</templatename>": "";
$opCmd = "<request><password-hash><password>" . Xml::escape($password->nodeValue) . "</password><username>" . Xml::escape($jsonArgs["id"]) . "</username>$tplPart</password-hash></request>";
$phashResult = Direct::noLog("Direct::runOpCommand", array($opCmd));
//<response status="success"><result><phash>$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.</phash></result></response>
if ($phashResult["@status"] !== "success") {
$exceptionMessage = "";
if (is_array($phashResult["msg"]["line"])) {
$exceptionMessage = join("\n", $phashResult["msg"]["line"]);
}
else if (is_array($phashResult["msg"])) {
$exceptionMessage = join("\n", $phashResult["msg"]);
} else {
$exceptionMessage = $phashResult["msg"]["line"];
}
$exceptionMessage = str_replace("request -> password-hash ->", "-", $exceptionMessage);
throw new Exception (Xml::escape($exceptionMessage));
}
// trim password
$domData->removeChild($password);
if ($phash) {
$phash->nodeValue = Xml::escape($phashResult['result']['phash']);
$foundPhash = true;
}
// LIBXML_NOXMLDECL does not work
//$jsonArgs->data = $doc->saveXML(null, LIBXML_NOXMLDECL);
$xml = $doc->saveXML();
// Debug::log("Line" . __LINE__ . " xml=" . $xml . ' foundHash=' . $foundPhash);
// need to set start to after XML decl <?xml version="1.0"
$xml = substr_replace($xml, '', 0, strlen('<?xml version="1.0"?>'));
// add new object
$phashXML = '<phash>' . Xml::escape($phashResult['result']['phash']) . '</phash>';
if ($jsonArgs['set']) {
// strip off <entry> and </entry> for 'set' command
$start = strpos($xml, "<entry>");
$xml = substr_replace($xml, '', $start, strlen('<entry>'));
$start = strrpos($xml, "</entry>");
$xml = substr_replace($xml, '', $start, strlen('</entry>'));
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = $xml . $phashXML;
} else { //editing object
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = substr_replace($xml, $phashXML, strrpos($xml, "</entry>"), 0);
}
//Debug::log("Line" . __LINE__ . " data=" . $jsonArgs['data']);
$passChange = true;
$jsonArgs['password'] = $passwordValue;
$jsonArgs['phash'] = $phashResult['result']['phash'];
}
return $passChange;
} -
I was unsuccessful in getting a different OS on the existing motherboard.
PXEboot results in continuous beeping just after trying to get the pxelinux.0 file
Booting FreeBSD11 results in a partial load of the kernel until something beeps and the boot hangs.
Booting various i386 linux is the same, something causes a short beep and the boot process hangs.
I swapped the X6 motherboard with a X11, but with the ASIC installed, the MB won't post.
-
I dug in to the OS a little bit last night after doing hardware stuff. The OS is based on RHEL but can't quite tell which version.
I am thinking I clone the HDD back to another disk, but inject a root password in to the shadow file so I can login to the underlying OS before PanOS takes over getty.
-
kajerreplied to Ryan Castellucci :nonbinary_flag: last edited by
@ryanc My guess is: It's a custom bios that supports some sort of additional PCIe expander.
Given the issue that the ASIC card won't let me POST on another newer motherboard, but that is just a guess.
-
If I do manage to boot a vanilla RHEL, I might be able to pillage some device /asic drivers out of the rpm library I found in the disk I mounted.
-
put everything back, but with a video card installed. Managed to stop GRUB in an attempt to get single user mode.
Grub has a MD5crypt password (hashcat -m 500)
yay
I can either change it on disk, or... CRACK IT
-
cool, cool... not in the rockyou.txt I have
Time to fire up my CMIYC cluster... my laptop 940MX won't be up to the abuse I have planned.
-
Ryan Castellucci :nonbinary_flag:replied to kajer last edited by
@kajer never change