salman

I am a big fan of Pushkar Bhatkoti’s blog.

Link:
http://pushkarbhatkoti.wordpress.com/2009/01/25/a-fun-with-cisco-call-manager-6x-how-to-root-access-to-ccm6x-box/

Topic:
A fun with Cisco Call manager 6x – root access to CCM6x box

cut and paste:

January 25, 2009 at 3:55 am | In CCM 5x 6x 7x stuffs | | Edit this post
Tags: hacking cisco call manager 6x, how to get root access to ccm ccm6x ccm7x, logging in as a root in cisco call manager

———————————————————————————————-
Duh… its 42 degree outside here in Sydney and it is also a long weekend – this sounds boreing… nothing to do outdoor.
My mind got crazy and then I thought to play with my new toy – CCM version 6.x.
Note: before you read this please note, do not try to apply it on your production server.
Quite often, when we are working on the production server and we need access to call manager 5x 6x 7x root shell (penguin shell), we had to call bloody TAC and do wait for ages before we get access to the root shell.
Last week this happend to my friend and he told me that is there anyway to get access to the call manager root shell. He upgraded his CCM from v5 to 6x and the disk space got on ccm server got full. So he had to delete some files from ccm using LINUX shell. Somehow cisco has managed to lock it down so that no root access to the ccm appliance. I given my old method to my friend and he got access to the root shell [grub /lilo breakin method like we do to recover root password].

Today I got some time to do some research on this and found out a less effort method which you can safely apply to your production server without breaking anything related to Cisco’s software.

So using below method you would be able to access your call manager in the same fashion like TAC guys do. You don’t have to call them and wait…hehhe…

download fedora9, redhat linux 4 or above or centos disk1. burn it on a CD or dvd. this disk iwll be used in the step #3

STEP#1: Create remote account on your CUCM.
———————————————————–
ssh to your CUCM box. I use Ubuntu as a desktop, if you are billy fane you can use ssh or secureCRT.

frog# ssh administrator@142.2.64.254

you’ll get below prompt:

admin:

create a account and enable remote account to this box:

admin:utils remote_account create frog 100
admin:utils remote_account enable

noticed 100 in the above is number of days ‘frog’ username / account will be valid. If you want it forever, then just type 0

STEP#2: reboot the server:
———————————-
admin:utils system restart

STEP#3: create password for ‘frog’ remote user
———————————————————-

While server reboots, pop-in a linux booteble disk (downloaded centos or redhat first disk) to MCS server or your lab toy. When you see boot prompt type ‘linux rescue:

boot:linux rescue

That will give you the root shell access of root#

initblah#

Rescue disk mounts the CCM hard disk image as a /mnt/sysimage. Now chroot to this image to change in the /etc/ files or passwords:

#chroot /mnt/sysimage

[root#ccm-] #

Note1: if you dont’ see the root prompt and /etc/pass file, then you may need to mount your sysimage.

Note2: If you are Opensource folk and know how to penguinworks u can jump direct to step#4. Actually adding user here vs adding them when u get root# shell using a booteble CD, is that u don’t have to apply all admin groups to remote user.

according to the one of the hacker wesite, remote user must be a member of the following groups in CCM BOX:

disk, sys, adm, bin, wheel and root

STEP#4: change attribute of /etc files and create ‘frog’ user’s password:
—————————————————————————————
Cisco have locked the attribute to read only to all /etc/passwd /etc/group /etc/shadow and /etc/gshadow file to protect those files.

Make all of below files attribute from read only to read/write. So when you change ‘frog’ users password the system will let you change it.

root#chattr -i /etc/passwd
root#chattr -i /etc/shadow
root#chattr -i /etc/group
root#chattr -i /etc/gshadow

root#passwd frog

Now restart the server: use reboot command

Dont’ forget to remove your DVD/CD from MCS server.
Once that is done, access to the ccm from your favourite ssh client. mine is ubuntu these days.

frog# ssh frog@142.2.64.254

Welcome to Remote Support

[root@CUCM6~]#
[root@CUCM6~]#
[root@CUCM6~]#

hehe… its your little linux box now. Do with it whatever you like. I will install freeRADIUS and some other cool tool like NMAP on this Cisco box.

Ich habe mir vor einiger Zeit zum testen einen Cisco CallManager 6 installiert. Da ich Blackboxen nicht leiden kann, habe ich versucht ob es nicht möglich ist einen richtigen Shell Access hinzubekommen…
……

Though the workaround you found is just as fine.

Thanks for sharing your notes with us! I really enjoy seeing someone take another approach. Great job!

Please try to find the author of the above procedure. I would like to give credit.

Josh

When doing “adduser” I was actually adding it to the liveCD version! in other words, I was modifying /etc/passwd, group, shadow, gshadow, etc when doing the “adduser” command.

So, I opened up those files in a text editor, then opened up /media/disk/etc/passwd..etc and copied/pasted the new user info.

also, when doing sudo visudo sudoers, I had to use the -f flag to look to the local command line otherwise, I was also editing /etc/sudoers (my liveCD filesystem)

i.e: ubuntu@ubuntu:/media/disk/etc$ sudo visudo -f sudoers

also, note: I noticed that I did not have access via Konsole to /media/disk until I opened it up in Dolphin (the file manager)…not sure if I tried to quickly or not, but…if anyone else does this…there ya go.

So…thanks for pointing me in the right way..hopefully, my notes can be of assistance to someone.

My apologies to the original poster on that!