Mirai is an easy Linux box. It can be exploited by properly enumerating the application and finding an admin directory that discloses pi-hole is used. The default credentials were used to start a SSH shell. The user pi was able to execute all commands as root but the root.txt was lost and stored on the USB. However, it was also lost from the USB and has to be recovered by analysing the hard disk.
Started off by running NmapAutomator.
Nmap discovered the following open ports and services:
PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 7.2p2 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open minecraft Minecraft 1.11.2
Navigating to the webserver shows an empty page. Gobuster was used to find directories and files, the following were found:
http://10.129.103.93/admin (Status: 301) http://10.129.103.93/versions (Status: 200)
Navigating to admin shows this page:
It is running pi-hole. The default credentials are apparantly:
pi : raspberry
These could not be used to authenticate to the application but were used to open an SSH shell as pi. The following command was executed:
can ssh email@example.com
This provided the user.txt.
The permissions for pi were checked:
pi@raspberrypi:~ $ sudo -l Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL
Therefore, you can simply run
su - and start a root shell. However, root.txt did not contain the original flag:
root@raspberrypi:~# cat root.txt I lost my original root.txt! I think I may have a backup on my USB stick...
Ok, so lets check where the USB is mounted:
root@raspberrypi:/media/usbstick/lost+found# df -h Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 35% / tmpfs 100M 13M 88M 13% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs 250M 0 250M 0% /lib/live/mount/overlay /dev/sda2 8.5G 2.8G 5.3G 35% /lib/live/mount/persistence/sda2 devtmpfs 10M 0 10M 0% /dev tmpfs 250M 8.0K 250M 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 250M 0 250M 0% /sys/fs/cgroup tmpfs 250M 8.0K 250M 1% /tmp /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 50M 0 50M 0% /run/user/999 tmpfs 50M 0 50M 0% /run/user/1000
So, theres a USB in /media/usbstick. Let’s investigate that:
pi@raspberrypi:/media/usbstick $ ls damnit.txt lost+found pi@raspberrypi:/media/usbstick $ cat damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James
So, it seems to have been removed and to recover it you will need to analyse the hard disk. For usbstick this is /dev/sdb.
Let’s run strings against it:
I found this box a little bit less fun, it probably is one of the easier boxes from HTB and I did not learn too much from it. Hope you enjoyed the writeup though!