iLiad Thoughts on 2.5 and root password

[TadW]

I was just thinking what should we do if we cannot crack the root password using conventional mentions like John The Ripper, at least not in a suitable time? Possibilities:

- start a distributed brute-force attack
- stick to 2.4 (I know, bad idea )
- sniff the traffic to catch the 2.5 flash update. Save it to a file, hex it on a PC to change password, then manually put it back on the iRex and run the flash upgrade routines.

Any more ideas or possible solutions?

[tribble]

we could easily replace it with a password of our choice. But i would like to have it cracked rather, so we dont have to fiddle with the passwd file.

[DHer]

we don't need to crack the root password, i think.

with netcat we spawned a root shell, i think. so we can just create a new password hash for the passwd file and insert it there. it only works till the next update, so cracking the password is only useful for the future.

Or we just add a new user with superuser privilegues

Did i say we? I meant you. I'm just watching :P

[TadW]

I see where you guys are getting... love the netcat idea... trust me Dher, I am quite upset myself about your misfortune. Let's hope you can get your iLiad fixed asap.

If we had the real password, couldn't iRex just replace it again with another one during the next update? I think it doesn't really matter whether we have the real password or just replace it with our own.

[dive1770]

why don't you just overwrite the current (new) passwd file with the old one?
doing this will result in a root account without password.

then create client certificates on your computer and store the public key of the certificate in the file ~/.ssh/authorized_keys (on the iliad)
if you do this and iRex does not fiddle with the userhomes you will always have root access with ssh.

[DHer]

is there still a ssh daemon in 2.5 or did they remove it completely?

If it's still there, the idea with the user certificate is really great.

[Tscherno]

Quote:

Originally Posted by DHer

is there still a ssh daemon in 2.5 or did they remove it completely?

If it's still there, the idea with the user certificate is really great.

Even if they remove the ssh deamon, we can put our own on the device...

[arivero]

Quote:

Originally Posted by DHer

with netcat we spawned a root shell, i think. so we can just create a new password hash for the passwd file and insert it there. it only works till the next update, so cracking the password is only useful for the future.

Or we just add a new user with superuser privilegues

I like this approach, netcat plus a different user. Plus "sudo gainroot" to go from this user to the root one.

BTW, I have found that a funny system to execute things is to use cntrl-P in the first page of a pdf file, and then selecting the "print command".

[Kristoffer]

Quote:

Originally Posted by Tscherno

Even if they remove the ssh deamon, we can put our own on the device...

As far as I could see, they have removed the ssh daemon namely 'dropbear' completely, so we will need a new one

[Kristoffer]

Quote:

Originally Posted by dive1770

...
if you do this and iRex does not fiddle with the userhomes you will always have root access with ssh.

I had some Data stored in the root's home directory, the update to 2.5 deleted all of it, but maybe that isn't true for other users' homes....

[arivero]

Quote:

Originally Posted by Kristoffer

As far as I could see, they have removed the ssh daemon namely 'dropbear' completely, so we will need a new one

Kristoffer, have you upgraded to the whole 2.5, ie the three upgrading steps? Just to be sure I can still pdf-exec.

Secondly, if the ssh is removed... are you using netcat or similar tricks, or just navegating across the html? Or does it the xrvt work?

[Tscherno]

We could simply use the tar.gz from the 2.4 version to restore the sshd

[Kristoffer]

Yes I took the 3 steps completely...

I used the new hacking pdf from Dher in conjunction with netcat for windows to gain console access... the pdf-execution is still working

[arivero]

Quote:

Originally Posted by Kristoffer

Yes I took the 3 steps completely...

I used the new hacking pdf from Dher in conjunction with netcat for windows to gain console access... the pdf-execution is still working

Ok I assume you refer to
https://www.mobileread.com/forums/sho...1&postcount=28

Well I will try to upgrade and to provide a non-network hacking method, assuming the pdf execution still works. I hope your 2.5 is 2.5b and not 2.5a (there is some comment about a earlier corrected on the flight)

[astfgl]

Quote:

Originally Posted by arivero

BTW, I have found that a funny system to execute things is to use cntrl-P in the first page of a pdf file, and then selecting the "print command".

Is DHer's user interface still working? If so, he can use this to run a "ps -e > {content_path}/ps.txt" to put the process listing in a file which can be displayed on the screen, then run "kill -9 {PID}" to kill the netcat process and un-block the networking.

EDIT: Oops, CTRL-p implies a keyboard and PC, not the Illiad. My bad. However, if he can still access the UI, loading a pdf/script/etc on CF/USB and killing the process that way might still be possible. My Illiad is still a long way from delivery, so this is just speculation on my part.