You're basically trying to get hold of /etc/passwd. This is a text file which has to be readable by ANY user account on that box, try telnet, SSH or ftp to attach. Another way in (usable on equisys netpilots, for instance, where there are no shell accounts and ftp sessions are chroot'ed), check to see if you have an httpd server with SSI (that's server-side includes, not SSL: secure socket layer) enabled and 'hash-bit-exec' enabled (this can all be switched on from a .htaccess file with apache, see apache.org) you cat put a "<!--#exec cmd='/bin/cat /etc/passwd' -->" in an HTML page which, when viewed, will show the result of cat'ing /etc/passwd, i.e. the contents thereof.

If you have no other way of getting access via a shell, ftp client, browser etc. then it's a case of pull the HDD out of the production server, bang it into a friendly (i.e. your) *NIX box and mount it thereon.

P.S. These are obviously generic instructions. For the NAS box that started this thread you evidently have some form of shell access so no probs.