Great, now I am looking at hardware firewalls on ebay for a side project to do

kajer

I seem to be ignoring the obvious... replacing the motherboard with something not 3000 years old.

kajer

I got an X11 generation motherboard installed with some minor chassis modification. With the ASIC card installed, the server wont post. no beeps, no vga, no anything.

Going to stop fucking around with the hardware, and start to disassemble the disk image i took,

kajer

$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.:aaaaaaaaaa

Ryan Castellucci :nonbinary_flag:

@kajer why is it so fabulous?

Ryan Castellucci :nonbinary_flag:

@kajer that's a password an idiot would use on their luggage

kajer

@ryanc
// changePassword is used by Local User Databa/Users and Administrators
// its main purpose is to replace UI 'password' field with <phash>
// It assumes that UI is responsible for sending password when appropirate
// If password is not changed from UI, <password> must NOT be sent, instead
// original <phash> (if available) must be sent back
static function changePassword(&$jsonArgs) {
if ($jsonArgs) {
if (!is_array($jsonArgs)) {
$jsonArgs = Util::objectToArray($jsonArgs);
}
}
$doc = new DOMDocument();
$doc->preserveWhiteSpace = false;
$editing = is_object($jsonArgs);
$id = $jsonArgs['id'];
// <password> is not part of schema we need to trim it out of final xml data
// to do that, load data, then trim
if (!$jsonArgs['set']) {
$doc->loadXML($jsonArgs['data']);
} else {
// new record: Add wrapper <entry> data..</entry> for loading DOMDocument
$doc->loadXML('<entry>' . $jsonArgs['data'] . '</entry>');
}

$domData = $doc->documentElement;
$password = $doc->getElementsByTagName('password')->item(0);
$passChange = false;
$passwordValue = '';
// Debug::log("Raw data " . __LINE__ . ' ' . $jsonArgs['data']);

if ($password) {
$foundPhash = false;
$passwordValue = $password->nodeValue;
// NOTE: this routine expecting phash is always sent for password change
$phash = $doc->getElementsByTagName('phash')->item(0);
// hash new password
$template = $jsonArgs['template'];
$tplPart = isset($template) ? "<templatename>$template</templatename>": "";
$opCmd = "<request><password-hash><password>" . Xml::escape($password->nodeValue) . "</password><username>" . Xml::escape($jsonArgs["id"]) . "</username>$tplPart</password-hash></request>";
$phashResult = Direct::noLog("Direct::runOpCommand", array($opCmd));
//<response status="success"><result><phash>$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.</phash></result></response>
if ($phashResult["@status"] !== "success") {
$exceptionMessage = "";
if (is_array($phashResult["msg"]["line"])) {
$exceptionMessage = join("\n", $phashResult["msg"]["line"]);
}
else if (is_array($phashResult["msg"])) {
$exceptionMessage = join("\n", $phashResult["msg"]);
} else {
$exceptionMessage = $phashResult["msg"]["line"];
}
$exceptionMessage = str_replace("request -> password-hash ->", "-", $exceptionMessage);
throw new Exception (Xml::escape($exceptionMessage));
}
// trim password
$domData->removeChild($password);
if ($phash) {
$phash->nodeValue = Xml::escape($phashResult['result']['phash']);
$foundPhash = true;
}
// LIBXML_NOXMLDECL does not work
//$jsonArgs->data = $doc->saveXML(null, LIBXML_NOXMLDECL);
$xml = $doc->saveXML();
// Debug::log("Line" . __LINE__ . " xml=" . $xml . ' foundHash=' . $foundPhash);
// need to set start to after XML decl <?xml version="1.0"
$xml = substr_replace($xml, '', 0, strlen('<?xml version="1.0"?>'));
// add new object
$phashXML = '<phash>' . Xml::escape($phashResult['result']['phash']) . '</phash>';
if ($jsonArgs['set']) {
// strip off <entry> and </entry> for 'set' command
$start = strpos($xml, "<entry>");
$xml = substr_replace($xml, '', $start, strlen('<entry>'));
$start = strrpos($xml, "</entry>");
$xml = substr_replace($xml, '', $start, strlen('</entry>'));
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = $xml . $phashXML;
} else { //editing object
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = substr_replace($xml, $phashXML, strrpos($xml, "</entry>"), 0);
}
//Debug::log("Line" . __LINE__ . " data=" . $jsonArgs['data']);
$passChange = true;
$jsonArgs['password'] = $passwordValue;
$jsonArgs['phash'] = $phashResult['result']['phash'];
}
return $passChange;
}

kajer

@ryanc
https://pastebin.com/rSLjnC9J

kajer

I was unsuccessful in getting a different OS on the existing motherboard.

PXEboot results in continuous beeping just after trying to get the pxelinux.0 file

Booting FreeBSD11 results in a partial load of the kernel until something beeps and the boot hangs.

Booting various i386 linux is the same, something causes a short beep and the boot process hangs.

I swapped the X6 motherboard with a X11, but with the ASIC installed, the MB won't post.

kajer

I dug in to the OS a little bit last night after doing hardware stuff. The OS is based on RHEL but can't quite tell which version.

I am thinking I clone the HDD back to another disk, but inject a root password in to the shadow file so I can login to the underlying OS before PanOS takes over getty.

kajer

@ryanc My guess is: It's a custom bios that supports some sort of additional PCIe expander.

Given the issue that the ASIC card won't let me POST on another newer motherboard, but that is just a guess.

kajer

If I do manage to boot a vanilla RHEL, I might be able to pillage some device /asic drivers out of the rpm library I found in the disk I mounted.

kajer

put everything back, but with a video card installed. Managed to stop GRUB in an attempt to get single user mode.

Grub has a MD5crypt password (hashcat -m 500)

yay

I can either change it on disk, or... CRACK IT

kajer

cool, cool... not in the rockyou.txt I have

Time to fire up my CMIYC cluster... my laptop 940MX won't be up to the abuse I have planned.

Ryan Castellucci :nonbinary_flag:

@kajer never change

kajer

@ryanc