Mirai

OS: Linux, Difficulty: Easy, IP: 10.10.10.48

Initial enumeration

# Nmap 7.80 scan initiated Mon Sep 30 18:50:39 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,53,80,32469,32414,1214,32400 10.10.10.48
Nmap scan report for 10.10.10.48
Host is up (0.22s latency).

PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open   domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open   http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
1214/tcp  open   upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open   http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32414/tcp closed unknown
32469/tcp open   upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/30%OT=22%CT=32414%CU=44759%PV=Y%DS=2%DC=T%G=Y%TM=5D9
OS:20152%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)
OS:SEQ(SP=FF%GCD=1%ISR=109%TI=Z%II=I%TS=8)OPS(O1=M54DST11NW6%O2=M54DST11NW6
OS:%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=7120%W
OS:2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNN
OS:SNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y
OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G
OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 32414/tcp)
HOP RTT       ADDRESS
1   217.00 ms 10.10.14.1
2   217.36 ms 10.10.10.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 30 18:51:22 2019 -- 1 IP address (1 host up) scanned in 43.62 seconds

So apparently we had a PLEX server running on this machine, for some reason. Anyways we had 2 web-servers, 1 DNS port, and 1 SSH port to work with.

Ensure that you edit your /etc/hosts file to point the IP address to the domain of mirai.htb else the website won't load.

So I planned on running gobuster on the website to see what all things I can get.

/admin (Status: 301)
/versions (Status: 200)

Only the /admin directory was something interesting and it had an installation of Pi-Hole. Nothing interesting was going on here, neither on the PLEX server website, it was a default installation. However the name strike to me and I searched for Pi-Hole default credentials and gave it a try on the SSH server, and this vector worked just fine.

Default credentials: pi:raspberry

$ ssh pi@10.10.10.48
pi@10.10.10.48's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 30 13:36:28 2019 from 10.10.14.10

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),117(i2c),998(gpio),999(spi)
pi@raspberrypi:~ $

User own

pi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt; echo
ff837***
pi@raspberrypi:~ $

There was not much science to the user.txt file, however it turns out, getting the root.txt will be a hell of a ride.

Root own

So as I saw that we are part of the sudo group I immediately tried for sudo -l and tried to find what all can I work with, and lo behold, I can be root.

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

So I went ahead and tried reading the /root/root.txt file. To my surprise the contents of the file were the following.

pi@raspberrypi:~ $ sudo cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

This seemed like an external mounting so it was obvious to check /mnt and /media directories.

# /mnt had nothing
pi@raspberrypi:~ $ cd /mnt
pi@raspberrypi:/mnt $ ls -la
total 4
drwxr-xr-x  2 root root    3 Nov  2  2016 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..

# However, the media folder had some interesting information
pi@raspberrypi:/mnt $ cd /media
pi@raspberrypi:/media $ ls -la
total 9
drwxr-xr-x  3 root root 4096 Aug 14  2017 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..
drwxr-xr-x  3 root root 1024 Aug 14  2017 usbstick
pi@raspberrypi:/media $ cd  usbstick/
pi@raspberrypi:/media/usbstick $ ls -al
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found
pi@raspberrypi:/media/usbstick $ cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

So as per the notes it turns out that the file has been deleted! Shucks! So after googling I came to a solution on how to recover deleted files from a folder.

grep -a -C 500 'known pattern' /dev/sda | tee /tmp/recover

For this command to run we had to figure out the device file of the usbstick, for this we can simply run df -T and check for the mounting.

pi@raspberrypi:/media/usbstick $ df -T
Filesystem     Type     1K-blocks    Used Available Use% Mounted on
aufs           aufs       8856504 2877048   5506524  35% /
tmpfs          tmpfs       102408    4864     97544   5% /run
/dev/sda1      iso9660    1354528 1354528         0 100% /lib/live/mount/persistence/sda1
/dev/loop0     squashfs   1267456 1267456         0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs          tmpfs       256020       0    256020   0% /lib/live/mount/overlay
/dev/sda2      ext4       8856504 2877048   5506524  35% /lib/live/mount/persistence/sda2
devtmpfs       devtmpfs     10240       0     10240   0% /dev
tmpfs          tmpfs       256020       8    256012   1% /dev/shm
tmpfs          tmpfs         5120       4      5116   1% /run/lock
tmpfs          tmpfs       256020       0    256020   0% /sys/fs/cgroup
tmpfs          tmpfs       256020   10252    245768   5% /tmp
/dev/sdb       ext4          8887      93      8078   2% /media/usbstick
tmpfs          tmpfs        51204       0     51204   0% /run/user/999
tmpfs          tmpfs        51204       0     51204   0% /run/user/1000

It turns out the usbstick is from /dev/sdb device so we can go ahead and run the specified command.

grep -a -C 500 'root.txt' /dev/sdb

The output may take some time to populate, so be patient.

--- SNIP ---
lost+found
         root.txt
damnit.txt;9Y28Ho;9+/
*,.O+-tA01Y1Y1Y

o!:2Y:2Y:2Y
* !92Y2Y2Y
+ !9;9Y3
        8PP
(["       1YS1Y
               <Byc[B)>r &<yZ.Gum^>
                                   1Y
|}*,.+-3d3e4*** [ROOT FLAG WILL BE DISPLAYED]
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

So we have the root.txt file contents, thus completing the challenge.

Learning outcome

I learned about device files, mounting, and getting deleted files back. This was a good box, looked straight forward but had it's own twist and turns.

PreviousBlockyNextPopcorn

Last updated