A new look at the Hava

Steven Meyer  wrote:

Now what kind of privileges do yo have over the serial port? Can you add a user? And what files can you access? Getting that command line access is great, grabbing the shadow files and paying a little bit to use an Amazon cluster to break the hash would be worth it, and its very cheap.

I haven’t done much with the hava for quite a while.

I dug it and my serial cables out and hooked it up today to refresh my memory.

There’s no software on the box to add a user or change a password, this is a stripped down embedded linux. In addition, /etc/ (and most other areas) is mounted read-only. The normal commands to remount it to read-write don’t do it. They execute with no error but the filesystem is still mounted RO.

I can access anything, I just boot replacing init with /bin/sh and that effectively gives me a single user login as root.

There are no shadow files, just the /etc/passwd file. Embedded versions of linux rarely use the shadow password files.

/etc/passwd has only two entries:

root:mNKJ3erYY78BI:0:0:superuser:/root:/bin/sh
gpl_test:HVu9AVyBMfuf.:1:1:superuser:/home/gpl_test:/bin/sh

Only the first one would be useful, despite the name “superuser” the second entry isn’t really a superuser login since it’s user id is 1. The login program it uses is part of busybox version 1.00.

Although the serial console login has to be enabled by changing flash params the hava always runs a telnet daemon listening on the standard telnet port. If you can get the password cracked you can login via telnet and not have to make up a 3.3v serial cable. I suspect that they run the telnet daemon so their support could get into the box if necessary.

-Hank