Enable root SSH access on the Thecus 1U4500

Disclaimer: All information mentioned here is for educational purposes only. I or this site will not be held responsible for any data loss or damage done to your device.
This hack follows very closely to a known hack for the Infrant (now NetGear) ReadyNAS.

I have recently been testing some NAS devices, an Infrant (now Netgear) ReadyNAS and a Thecus 1U4500. One of the first things I noticed about both of these devices was that they both ran SSH out of the box by default but there was no access given to you as the end user to get to the shell. Luckily it didn’t take to much effort with Google to find a way in to the ReadyNAS and the link above shows up quite quickly. However the same cannot be said for the Thecus 1U4500. I tried a bunch of search terms etc. but basically only found my way to others like myself – those of us on the outside trying to find a way in. So I got to thinking, when you really break it down, these 2 NAS boxes are really similar and so since I’m still in ‘testing’ phase (i.e. no live data on the box yet) let’s see if a hack along the same approach would work. And sure enough it did, and I have outlined the steps below:

To be able to accomplish this hack you will need access to the Thecus Web interface, a Linux/UNIX box & a Mac box.

Step 1:
Create a folder to execute the hack from:
From the web interface select Storage then Folder, Click on Add and use these settings:
Name – shell
Browseable – yes
Public – yes
Limit – 1 GB

Step 2:
Edit the settings on the the ’shell’ folder
From the web interface select Storage then Folder then Click on the NFS button next to the ’shell’ folder
Click Add and use these settings:
Hostname – *
Privilege – Writable
Root Access – Root Access allowed

Step 3:
Make sure the appropriate services are running on the Thecus.
From the web interface select Network then NFS and set for enable & Click Apply.
From the web interface select Network then AFP and set for enable and use these settings:
Mac Characterset – UTF-8
Zone – *
And Click Apply.
Now verify that the services are running
From the web interface select Status then System & check that the necessary services are running.

Step 4:
Now you go to the Linux/UNIX box and mount the share via NFS.
Make sure you su to root
create the mount point #mkdir /tmpshell
mount the share using the full directory name #mount x.x.x.x:/raid/data/shell /tmpshell (x.x.x.x=the IP address of your Thecus box)

Step 5:
Once you have the share mounted cd to /tmpshell and create a symlink to /etc called etc
#cd /tmpshell
#ln -s /etc etc
then run a quick check and you should now have one item in that directory called etc
#ls
etc

Step 6:
Now you have to go to the Mac and mount the share via AFP
At the Mac hit command+K, or from the Go menu in finder select “connect to server”, to bring up the Connect to server window.
In the box type in afp://x.x.x.x/shell (x.x.x.x=the IP address of the Thecus box) and click connect
When prompted for access credentials just use Guest.
Once the mount takes place you should be in a folder called ’shell’ and there should be one item there called etc
~And here is where the magic takes place~
Click on etc which is our symlink to /etc and low and behold AFP will traverse the symlink on the remote box and drop you right into /etc of the thecus box.

Step 7:
From here you just need to find the “shadow” file, make a quick copy (to be safe) and then make a quick edit.
The easiest way to do this from the Mac is to drop to that folder from the terminal:
So open terminal and cd /Volumes/shell/etc
Then make a quick copy of the shadow file (for safety)
mv shadow shadow.orig
Now open the shadow file with vi and see the goodness…
You will see a listing of accounts and there respective shell access levels, settings and the hashes for their passwords.
So just take the string for the root account’s password hash and replace it with a hash that you know! :)
Save the file after the change is made, close out everything and go ahead and SSH your way in as root with your brand new password.

P.S. once you are in via SSH you can delete or at least ‘tighten’ up the security on the shell folder.

Enjoy!

–Tom

3 Responses to “Enable root SSH access on the Thecus 1U4500”

  1. Phish Killer Mac OS X Mozilla Firefox 2.0.0.9 , on November 15th, 2007 at 8:12 pm Said:

    Tried it but receiving permissions errors from the Thecus.. it’s and interesting strategy. Maybe this does not work with firmware versions 2.0.0.1 I noticed that a number of the dialogs changed the the instructions seem to reference the 1.x firmware version. Is that that case or did I screw the pooch on setup:

    # mkdir /tshell
    # mount 166.13.192.151:/raid/data/shell /tshell

    mount: 166.13.192.151:/raid/data/shell failed, reason given by server: Permission denied

  2. Tom PHP , on November 15th, 2007 at 11:58 pm Said:

    Yeah I need to revise this and state that it is for the older version of the firmware.
    The new firmware runs the ‘OS’ in a live state and this method doesn’t work anymore .. I am trying some other approaches to see if I can work something out.

  3. Matthew C. Kriner Ubuntu Linux Mozilla Firefox 3.8 , on March 6th, 2010 at 1:26 am Said:

    Thanks for this post, answers a bunch of questions I was having.

Leave a Reply