Hacking FireFly 8S

Stuff I am working on
Post Reply
Daniel Wee
Site Admin
Posts: 2449
Joined: Wed 25 Feb 25 2009 8:00 pm

Hacking FireFly 8S

Post by Daniel Wee »

Default IP is 192.168.42.1
*use "ifconfig -a" to discover this.

telnet port 23 is open.

root doesn't require password.
default doesn't require password but cannot start shell due to lack of permission.
a8sdk has password a8me but cannot enter home directory due to lack of permission.

Wi-Fi server timesout if no valid connection is made after a few minutes.
Daniel Wee
Site Admin
Posts: 2449
Joined: Wed 25 Feb 25 2009 8:00 pm

/etc/passwd file

Post by Daniel Wee »

Code: Select all

root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
ftp:x:83:83:ftp:/home/ftp:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
default:x:1000:1000:Default non-root user:/home/default:/bin/sh
a8sdk:x:1001:1001:Linux User,,,:/home/a8sdk:/bin/sh
dbus:x:81:81:DBus messagebus user:/var/run/dbus:/bin/false
Daniel Wee
Site Admin
Posts: 2449
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking FireFly 8S

Post by Daniel Wee »

Code: Select all

root::0:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
ftp:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
default::10933:0:99999:7:::
a8sdk:HHTiH8SGMjHoM:0:0:99999:7:::
dbus:*:::::::
Daniel Wee
Site Admin
Posts: 2449
Joined: Wed 25 Feb 25 2009 8:00 pm

Re: Hacking FireFly 8S

Post by Daniel Wee »

From the examination of the passwd and shadow password files, it looks like only one user may log into the ssh shell:-

a8sdk with the password hash of HHTiH8SGMjHoM

We'll have to have a go at cracking this.
./hashcat64.bin -m 1500 HHTiH8SGMjHoM -a 3

Cracked!

password is a8me
Post Reply