[rescue] Challenge L Rescue

Curtis H. Wilbar Jr. rescue at hawkmountain.net
Sat Nov 8 15:01:50 CST 2003 

I've done this on a couple of SGIs:

login as lp... if the system is default, lp will log you into a shell
with no password.

Get the encrypted password, then on another system, run crack on it.

Of course, it the password is not crackable... then you need to be
able to mount the drives and edit the files to null out root's password.

-- Curt

On Sat, 2003-11-08 at 14:05, Sheldon T. Hall wrote:
> OK, the Tandem-badged Challenge L is in the house.  It runs, it boots, etc.
> 
> Its a four-R4.4k processor IP19 with 1.5 GB of main memory:
> 
> ---------------
> 
> Command Monitor.  Type "exit" to return to the menu.
> >> hinv -t
> system ARC SGI-IP19 key 0
>   processor CPU MIPS-R4400 key 0
>     processor FPU MIPS-R4400FPC key 0
>     cache primary icache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache primary dcache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache secondary cache 1024 Kbytes (block 1 lines, line 128 bytes)
>   processor CPU MIPS-R4400 key 1
>     processor FPU MIPS-R4400FPC key 1
>     cache primary icache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache primary dcache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache secondary cache 1024 Kbytes (block 1 lines, line 128 bytes)
>   processor CPU MIPS-R4400 key 2
>     processor FPU MIPS-R4400FPC key 2
>     cache primary icache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache primary dcache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache secondary cache 1024 Kbytes (block 1 lines, line 128 bytes)
>   processor CPU MIPS-R4400 key 3
>     processor FPU MIPS-R4400FPC key 3
>     cache primary icache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache primary dcache 16 Kbytes (block 1 lines, line 16 bytes)
>     cache secondary cache 1024 Kbytes (block 1 lines, line 128 bytes)
>   memory main 1536 Mbytes
>   adapter SCSI WD33C95A key 0
>   adapter SCSI WD33C95A key 1
>   adapter multi function EPC1.0 key 0
>     peripheral serial EVEREST TTY key 6
>     controller network et0 key 0
>       peripheral network key 0
>     controller serial IO4 tty key 0
>       peripheral line key 0
>     controller serial IO4 tty key 1
>       peripheral line key 0
>     controller serial IO4 tty key 4
>       peripheral line key 0
>     controller serial IO4 tty key 5
>       peripheral line key 0
> >>
> 
> IP19 PROM (BE) SGI Version 13  built 02:03:53 AM Aug 29, 1993
> Checking system endianess...                    Big endian
> Initializing hardware inventory...              ...done.
>     CPU 01/00 is bootmaster
> Testing and clearing bus tags...                ...passed.
> Configuring memory...
>     Using standard interleave algorithm.
> Running built-in memory test... 02 03 04
>                                                 ...passed.
> Writing cfginfo to memory
> Initializing MPCONF blocks
> Checking EAROM...                               ...passed.
> Testing secondary cache...                      ...passed.
> Checking processor diag results...
>     Enabled 1536 Megabytes of main memory
>     Enabled 4 processors
> Downloading PROM header information...
> Jumping into IO4 PROM.
> 
> PROM Segment Loader (R4400 IP19) SGI Version 2.1 Rev A MIPS3,   Sep  3, 1996
> Loading and executing R4400 boot prom image...
> 
> IO4 PROM Monitor SGI Version 4.21 Rev A IP19,   Sep  3, 1996 (BE)
> Sizing caches...
> Initializing exception vectors.
> Initializing IO4 subsystems.
> Fixing vpids...
> Initializing environment
> Piggyback reads enabled.
> Initializing software and devices.
> All initialization and diagnostics completed.
> Bootmaster processor already started.
> Starting processor #1
> Starting processor #2
> Starting processor #3
> Comparing EAROM checksums...
> Checking hardware inventory...
> 
> 
> System Maintenance Menu
> 
> 1) Start System
> 2) Install System Software
> 3) Run Diagnostics
> 4) Recover System
> 5) Enter Command Monitor
> 
> Option? 1
> 
> Starting up the system...
> 
> IRIX Release 6.5 IP19 Version 05190003 System V - 64 Bit
> Copyright 1987-1998 Silicon Graphics, Inc.
> All Rights Reserved.
> 
> WD95A SCSI controller 0 - single ended internal, rev 0, min xfer period
> 100ns
> WD95A SCSI controller 1 - differential internal, rev 0, min xfer period
> 100ns
> Configuring EPC in IO4 slot 5 padap 1 as et0
> The system is coming up.
> 
> Warning: Internet Gateway web server running as root.
> Use "chkconfig webface off" if you wish to disable.
> startup: listening to port 80 as nobody
> 
> IRIS console login: root
> Password:
> UX:login: ERROR: Login incorrect
> login:
> IRIS console login:
> 
> sysctlrd: Keyswitch off!
> sysctlrd: Sending hang-up signal to processes.
> sysctlrd: Waiting for processes to clean-up
> sysctlrd: Killing all processes.
> sysctlrd: Doing synchronous sync...
> sysctlrd: Done.
> sysctlrd: Powering down.
> 
> ----------------------
> 
> All sleds are present and accounted for: 3 x 2-GB hard drives, a CD-ROM
> drive, a 150 MB tape drive, and some myster drive that looks like a tape.  I
> disconnected the tape drives for the above hinv report, as the start-up
> procedure was hanging with a "checking inventory" message on the LCP panel.
> 
> And my question is ... what's the best way to crack root on this thing?  I
> have a set of IRIX 6.5 media...
> 
> -Shel
> 
> --
> Sheldon T. Hall
> shel at cmhc.com
> 206-780-7971 (CMHC)
> 206-842-2858 (Home)
> _______________________________________________
> rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list