I needed a cheap NAS system and had originally intended to give this one away as a gift to a relative for Christmas. However, said relative isn’t very technical and tl;dr I’m awful at choosing gifts for people so I decided to poke the proprietary device and see if we could have some fun with it.
The exact model that we will be talking about in this post is the Seagate Personal Cloud 3TB (STCR3000101).Here are a list of useful features:
- Time Machine backup support for OS X (Broken on El Capitan)
- Stream to Chromecast / AppleTV / Roku, LG & Samsung smart TVs
- Use the Seagate media app to access content remotely
- Web based control panel
- Ability to install 3rd party applications like WordPress, OwnCloud, and Plex media server (This functionality will be important later)
- more features are included but less important to me
So let’s start up by connecting this thing to our network and perform a port scan.
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 81/tcp open hosts2-ns 82/tcp open xfer 83/tcp open mit-ml-dev 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 548/tcp open afp 631/tcp open ipp 1080/tcp open socks 2222/tcp open EtherNetIP-1 3128/tcp open squid-http 8000/tcp open http-alt 8080/tcp open http-proxy 8088/tcp open radan-http 8888/tcp open sun-answerbook 9000/tcp open cslistener 9091/tcp open xmltec-xmlmail
As you can see there isn’t anything special, but there are some services we care about like SSH / SFTP, HTTP(s), etc. My initial test of bruteforcing the root user via SSH and sFTP did not seem to work. So looks like we’ll have to find another way to get shell access.
I mentioned about the useful features this proprietary NAS comes with, and this is exactly what we will be taking advantage of to get our shell today. How can we get shell access without SSH?