Great, now I am looking at hardware firewalls on ebay for a side project to do

@ryanc

cool, cool... not in the rockyou.txt I have

Time to fire up my CMIYC cluster... my laptop 940MX won't be up to the abuse I have planned.

put everything back, but with a video card installed. Managed to stop GRUB in an attempt to get single user mode.

Grub has a MD5crypt password (hashcat -m 500)

yay

I can either change it on disk, or... CRACK IT

If I do manage to boot a vanilla RHEL, I might be able to pillage some device /asic drivers out of the rpm library I found in the disk I mounted.

@ryanc My guess is: It's a custom bios that supports some sort of additional PCIe expander.

Given the issue that the ASIC card won't let me POST on another newer motherboard, but that is just a guess.

I dug in to the OS a little bit last night after doing hardware stuff. The OS is based on RHEL but can't quite tell which version.

I am thinking I clone the HDD back to another disk, but inject a root password in to the shadow file so I can login to the underlying OS before PanOS takes over getty.

I was unsuccessful in getting a different OS on the existing motherboard.

PXEboot results in continuous beeping just after trying to get the pxelinux.0 file

Booting FreeBSD11 results in a partial load of the kernel until something beeps and the boot hangs.

Booting various i386 linux is the same, something causes a short beep and the boot process hangs.

I swapped the X6 motherboard with a X11, but with the ASIC installed, the MB won't post.

@ryanc
https://pastebin.com/rSLjnC9J

@ryanc
// changePassword is used by Local User Databa/Users and Administrators
// its main purpose is to replace UI 'password' field with <phash>
// It assumes that UI is responsible for sending password when appropirate
// If password is not changed from UI, <password> must NOT be sent, instead
// original <phash> (if available) must be sent back
static function changePassword(&$jsonArgs) {
if ($jsonArgs) {
if (!is_array($jsonArgs)) {
$jsonArgs = Util::objectToArray($jsonArgs);
}
}
$doc = new DOMDocument();
$doc->preserveWhiteSpace = false;
$editing = is_object($jsonArgs);
$id = $jsonArgs['id'];
// <password> is not part of schema we need to trim it out of final xml data
// to do that, load data, then trim
if (!$jsonArgs['set']) {
$doc->loadXML($jsonArgs['data']);
} else {
// new record: Add wrapper <entry> data..</entry> for loading DOMDocument
$doc->loadXML('<entry>' . $jsonArgs['data'] . '</entry>');
}

$domData = $doc->documentElement;
$password = $doc->getElementsByTagName('password')->item(0);
$passChange = false;
$passwordValue = '';
// Debug::log("Raw data " . __LINE__ . ' ' . $jsonArgs['data']);

if ($password) {
$foundPhash = false;
$passwordValue = $password->nodeValue;
// NOTE: this routine expecting phash is always sent for password change
$phash = $doc->getElementsByTagName('phash')->item(0);
// hash new password
$template = $jsonArgs['template'];
$tplPart = isset($template) ? "<templatename>$template</templatename>": "";
$opCmd = "<request><password-hash><password>" . Xml::escape($password->nodeValue) . "</password><username>" . Xml::escape($jsonArgs["id"]) . "</username>$tplPart</password-hash></request>";
$phashResult = Direct::noLog("Direct::runOpCommand", array($opCmd));
//<response status="success"><result><phash>$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.</phash></result></response>
if ($phashResult["@status"] !== "success") {
$exceptionMessage = "";
if (is_array($phashResult["msg"]["line"])) {
$exceptionMessage = join("\n", $phashResult["msg"]["line"]);
}
else if (is_array($phashResult["msg"])) {
$exceptionMessage = join("\n", $phashResult["msg"]);
} else {
$exceptionMessage = $phashResult["msg"]["line"];
}
$exceptionMessage = str_replace("request -> password-hash ->", "-", $exceptionMessage);
throw new Exception (Xml::escape($exceptionMessage));
}
// trim password
$domData->removeChild($password);
if ($phash) {
$phash->nodeValue = Xml::escape($phashResult['result']['phash']);
$foundPhash = true;
}
// LIBXML_NOXMLDECL does not work
//$jsonArgs->data = $doc->saveXML(null, LIBXML_NOXMLDECL);
$xml = $doc->saveXML();
// Debug::log("Line" . __LINE__ . " xml=" . $xml . ' foundHash=' . $foundPhash);
// need to set start to after XML decl <?xml version="1.0"
$xml = substr_replace($xml, '', 0, strlen('<?xml version="1.0"?>'));
// add new object
$phashXML = '<phash>' . Xml::escape($phashResult['result']['phash']) . '</phash>';
if ($jsonArgs['set']) {
// strip off <entry> and </entry> for 'set' command
$start = strpos($xml, "<entry>");
$xml = substr_replace($xml, '', $start, strlen('<entry>'));
$start = strrpos($xml, "</entry>");
$xml = substr_replace($xml, '', $start, strlen('</entry>'));
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = $xml . $phashXML;
} else { //editing object
if ($foundPhash)
$jsonArgs['data'] = $xml;
else
$jsonArgs['data'] = substr_replace($xml, $phashXML, strrpos($xml, "</entry>"), 0);
}
//Debug::log("Line" . __LINE__ . " data=" . $jsonArgs['data']);
$passChange = true;
$jsonArgs['password'] = $passwordValue;
$jsonArgs['phash'] = $phashResult['result']['phash'];
}
return $passChange;
}

$1$hwrbwjlu$/Tr8NgIA4oKuqpC.1pnk3.:aaaaaaaaaa

I got an X11 generation motherboard installed with some minor chassis modification. With the ASIC card installed, the server wont post. no beeps, no vga, no anything.

Going to stop fucking around with the hardware, and start to disassemble the disk image i took,

I seem to be ignoring the obvious... replacing the motherboard with something not 3000 years old.

A minor annoyance, all screws are stainless. My magnetic driver has no effect. Nice build quality I guess.

I just want to boot an OS so I can see WTF the dataplane board shows up as in LSPCI

omg, i can finally take an image

turns out, when using bad ssds that still test "okay" from a NAS... are actually bad.

who knew

Okay, now we are getting something

Found a stash of 2gb pc2 reg ecc

Got the date up to 2024

The old CMOS battery was cooked

also, 1GB of DDR2 400

let me check my stash

oh fuck, 32bit xeon.... wow

So I set the cmos date to 2024, and then got the no-vga beep code...

After finding that the CMOS reset jumper was never installed, I got the CMOS back to default

Booted an opnsense iso .. nope

oh snap - we can make this a dual xeon board

https://www.supermicro.com/products/archive/motherboard/x6dlp-eg2

Moved the motherboard onboard VGA to disable, and viola