Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
└─$ nmap -A -timing 5 -p- 10.10.10.48
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1240/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
|_http-title: Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-favicon: Plex
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
Pi-hole interface
Trying to guess directory on http://10.10.10.48 we can find an admin page on http://10.10.10.48/admin
.
Screenshot of the admin page
We are here face to a pi-hole web interface.
As the box name is Mirai
, we can check for default credentials. Mirai is a malware that try to connect to IoT that are exposed on Internet using default credentials. Then, use groups of infected device to perform huge DDOS attacks.
I can’t find the password needed to connect into the pi-hole interface, the password are randomly generated at the install.
Plex server
Then, on http://10.10.10.48:32400/
, we are face to a plex server with a login form.
Screenshot of the plex login page
Same as the pi-hole server, I can’t find any default creds.
As we have a PiHole server, let’s try to connect to the SSH server using raspberry pi default credentials pi:raspberry
.
It works ! We have a shell! We can get the user flag!
We check pi
user privileges.
1
2
3
4
5
6
7
|
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
|
Oh we can get the roo… hum no :(
1
2
|
pi@raspberrypi:~ $ sudo cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
|
Recover root.txt
Looking on the usb stick we found another damnit.txt
file on /media/usbstick
saying:
1
2
3
4
|
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
|
Thanks James! We can try to find
the file on the system, we get only two occurences.
1
2
3
4
|
sudo find / -type f -name root.txt 2>/dev/null
/lib/live/mount/persistence/sda2/root/root.txt
/root/root.txt
|
The base file on /root
and another on /lib/live/mount/persistence/sda2/root
which is only a persistent mount.
Talking about mount, let’s check all mounted volume.
1
2
3
4
5
6
7
8
9
10
|
pi@raspberrypi:~ $ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755)
/dev/sda1 on /lib/live/mount/persistence/sda1 type iso9660 (ro,noatime)
[...]
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=999,gid=997)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=1000,gid=1000)
|
We can see that the usb stick /media/usbstick
has been mounted on /dev/sdb
. We can get the flag with the strings
command.
1
2
3
4
5
6
7
8
|
pi@raspberrypi:~ $ sudo strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
[...]
*************************13e020b
|
Default Credentials, Easy, External, IoT, Pi-Hole, Penetration Tester Level 1, A05:2021-Security Misconfiguration, Forensics, Sudo Exploitation, Information Disclosure