Jump to content
Hak5 Forums
Legomaniac

Cow Milking Robot Hacks/Mods X11

Recommended Posts

 Hi Everyone, update time. I plugged in a keyboard and it did do interesting things, sort of. Ctrl + Alt + FX (X != 2 ) directs you to a console login. I tried all the obvious-ish default passwords. Lely, Password, 123456, etc. It is quite slow on the password denied response, so perhaps I need to buy a rubber ducky and let it go all night long or something. The good news is it does keep milking cows while messing with it, you just have to remember to CtrlAltF2 before you unplug the keyboard. 

Video: 

I haven't done a hard reboot, I think that's the next step, remove power and see what shows up during boot. 

 

Share this post


Link to post
Share on other sites
Just now, user_1577 said:

@Legomaniac I was able to login with username: lely password: lely no root access though:sad:

I'm actually not sure I tried that! Mostly I tried to log into root or 'admin' I'll try lely lely

it likely is vulnerable to privilege escalation attacks somewhere 

Share this post


Link to post
Share on other sites
9 minutes ago, Legomaniac said:

I'm actually not sure I tried that! Mostly I tried to log into root or 'admin' I'll try lely lely

it likely is vulnerable to privilege escalation attacks somewhere 

I'm not home but I tried to ssh in as username lely password lely

no sauce yet

Share this post


Link to post
Share on other sites

Thats strange just tried it again for me and it logged in:

 

login as: lely
lely@10.4.1.101's password:
Linux elink-tab 3.10.17-R07 #1 SMP PREEMPT Mon Feb 15 15:14:56 CET 2016 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 11 23:34:29 2017 from 10.4.1.1
lely@elink-tab:~$ ls /
bin   dev  home          lib    media  opt   root  sbin  sys  usr
boot  etc  lely_install  lib64  mnt    proc  run   srv   tmp  var
lely@elink-tab:~$

 
 

Share this post


Link to post
Share on other sites
5 minutes ago, user_1577 said:

Thats strange just tried it again for me and it logged in:

 


login as: lely
lely@10.4.1.101's password:
Linux elink-tab 3.10.17-R07 #1 SMP PREEMPT Mon Feb 15 15:14:56 CET 2016 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 11 23:34:29 2017 from 10.4.1.1
lely@elink-tab:~$ ls /
bin   dev  home          lib    media  opt   root  sbin  sys  usr
boot  etc  lely_install  lib64  mnt    proc  run   srv   tmp  var
lely@elink-tab:~$

 

Did you copy & paste that or type it out? Also, what version of robot is it, and what software version is i running?

Share this post


Link to post
Share on other sites

so, What I'm getting looks like this: 

If you trust this host, enter "y" to add the key to                                                             
PuTTY's cache and carry on connecting.                                                                          
If you want to carry on connecting just once, without                                                           
adding the key to the cache, enter "n".                                                                         
If you do not trust this host, press Return to abandon the                                                      
connection.                                                                                                     
Store key in cache? (y/n) yes                                                                                   
login as: lely                                                                                                  
lely@10.4.1.101's password:  (I entered lely)                                                                                   
Access denied                                                                                                   
lely@10.4.1.101's password:                                                                                     

Update: I tried it on robot 2 and got the same results.

PS C:\Program Files\PuTTY> .\plink.exe 10.4.1.102                                                               
The first key-exchange algorithm supported by the server is                                                     
diffie-hellman-group1-sha1, which is below the configured warning threshold.                                    
Continue with connection? (y/n) y                                                                               
The server's host key is not cached in the registry. You                                                        
have no guarantee that the server is the computer you                                                           
think it is.                                                                                                    
The server's rsa2 key fingerprint is:                                                                           
ssh-rsa 1040 be:44:a8:36:71:ec:1e:b9:df:28:23:d3:c9:eb:b6:8a                                                    
If you trust this host, enter "y" to add the key to                                                             
PuTTY's cache and carry on connecting.                                                                          
If you want to carry on connecting just once, without                                                           
adding the key to the cache, enter "n".                                                                         
If you do not trust this host, press Return to abandon the                                                      
connection.                                                                                                     
Store key in cache? (y/n) y                                                                                     
login as: Lely                                                                                                  
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:                                                                                     
Access denied                                                                                                   
Lely@10.4.1.102's password:               

So it appears that your robot has a different default ssh password than mine, or perhaps mine has password login disabled :( 

Question for those in the know, If you disable password login, will it still give you a 'fake' password prompt?

Edited by Legomaniac
More info

Share this post


Link to post
Share on other sites
Quote

Question for those in the know, If you disable password login, will it still give you a 'fake' password prompt?

Quite likely, yeah.

Share this post


Link to post
Share on other sites

What kind of combinations did you try ?
because It should be Lely Lely.

admin - admin
Lely - Lely
lely - lely
.. .. .

Share this post


Link to post
Share on other sites
On 1/12/2018 at 9:10 AM, LivingDodo said:

What kind of combinations did you try ?
because It should be Lely Lely.

admin - admin
Lely - Lely
lely - lely
.. .. .

We tried all of those and a few other combos (like admin-password, lely-password, and a few other common ones like that).

Share this post


Link to post
Share on other sites

@legomaniac ive been trying to learn how to access t4c remotely for a month now. i still get lost in the vocabulary. would you be willing to help me set it up privately? also the passwords on some of our brand new a4 stuff is Service: lely or service: lelylely and there was another one that the password had some numbers in it but i cant remember that anymore. 

 

cant wait till someone figures this out. i'm getting tired of having to go over to reset m4use buckets!

Share this post


Link to post
Share on other sites

Nmap scan port 80 http:// ipaddress into your internet exploder press enter tada 

Share this post


Link to post
Share on other sites

bigbiz must be doing something wrong.

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-22 17:43 Eastern Daylight Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating Ping Scan at 17:43
Scanning 71.120.95.4 [4 ports]
Completed Ping Scan at 17:43, 3.18s elapsed (1 total hosts)
Nmap scan report for 71.120.95.4 [host down]
NSE: Script Post-scanning.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 9.66 seconds

Raw packets sent: 8 (304B) | Rcvd: 3 (205B)
 

i'm assuming there are some settings i need to change on my other router/computer but i don't know what. Where do i look now? even some key words to search and read about would help.  its all new to me but i like to learn.

Share this post


Link to post
Share on other sites
On 4/22/2018 at 5:47 PM, hemmy15 said:

bigbiz must be doing something wrong.

Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-22 17:43 Eastern Daylight Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating Ping Scan at 17:43
Scanning 71.120.95.4 [4 ports]
Completed Ping Scan at 17:43, 3.18s elapsed (1 total hosts)
Nmap scan report for 71.120.95.4 [host down]
NSE: Script Post-scanning.
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Initiating NSE at 17:43
Completed NSE at 17:43, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 9.66 seconds

Raw packets sent: 8 (304B) | Rcvd: 3 (205B)
 

i'm assuming there are some settings i need to change on my other router/computer but i don't know what. Where do i look now? even some key words to search and read about would help.  its all new to me but i like to learn.

Sorry Hemmy15, I've been not on here much for a while again... 

Accessing t4c remotely and accessing the robot touchscreen remotely are different systems, but I can help you do both.

You will need to get a machine that runs Linux (or a linux instance in a VM like virtualbox on the T4CPC), and also has access to the LAN that the robots are on. The amount of linux required is pretty minimal, but the more 'remoteness' you need, the more complex it gets. 

I can do it from anywhere in the world I have internet, using my phone, but I don't because it's pretty tedious. If you're trying to just reset the buckets from an office I bet I can get you up and running in an hour. Send me a private message and I'll be in touch. In the meantime,  this video is step 1. Do this on the T4C server in the barn, and  if you don't have TeamViewer, get that too

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×