Hack The Box : Mirai Writeup


1.0. Initial Thoughts

First and foremost, HackTheBox is a wonderful resource for practicing and improving cyber security skills and I 100% recommend signing up and trying to hack into a couple boxes yourself.

Mirai was an amusing box to hack into. As with most boxes on HackTheBox, the box’s name provides a “hint” as to what the initial vulnerability of the box could be.

In this case, the box’s name, Mirai, hints at the Mirai Botnet – a self-propagating strain of malware that targeted IoT devices using default credentials in late 2016.


2.0. Gathering Information

Gathering information, or enumerating, is the single most important step in the process of hacking a box.

2.1. Port Scan

First, let’s run a port scan to discover which ports are open and what services are running on them with the following command:

1
 nmap -sC -sV -oA nmap 10.10.10.48
  • sC to enable most common scripts
  • sV to enumerate versions
  • oA <output_name> to output all formats (.nmap, .gnmap, .xml)

    Output of nmap scan

From the scan’s results, we can see that ports 22, 53, and 80 are open.

2.1.1. Port 22 – OpenSSH

Port 22 has a typical, run-of-the-mill SSH service running on it. This will most likely come in handy later on in hacking the box.

2.1.2. Port 53 – dnsmasq

Port 53 is running a DNS server using a common program named dnsmasq. Dnsmasq is a simple, lightweight tool used to run a basic DNS server. It’s not too interesting of a find, but we’ll keep it in mind as a last resort if we find no other attack vectors.

2.1.3. Port 80 – HTTP Server (PiHole)

Port 80 is running a web server. Upon visiting http://10.10.10.48, we are greeted with a blank page and absolutely nothing in the page source. Visiting http://10.10.10.48/robots.txt also led to a blank page with absolutely nothing on it.

But if there’s a web server running on port 80, there has to be something… right? Let’s run a directory scan to see what other attack points we can discover.

2.2. Directory Scan

The tool I prefer to use for directory discovery and scanning is GoBuster. GoBuster is a tool used to brute-force directories and files in an extremely fast and efficient manner.

Initial command:

1
gobuster -u 10.10.10.48 -w /usr/share/dirb/wordlists/big.txt -x php,js -l -t 30 | tee gobuster.out
  • -u targeted host’s URL
  • -w path to wordlist to be used for brute-forcing
  • -x list of file extensions to test for
  • -l show the length of the response
  • -t number of threads to run
  • | tee gobuster.out pipe the results to tee, which reads from standard in and writes to standard out and files

The issue with this command is that it returns massive amounts of false positives because the web server displays a blank page for a file/directory, even if it doesn’t exist. In order to get rid of the false positive, we can revise the GoBuster command to only display results that have HTTP status codes of 204, 301, 302, or 307, thus excluding false positives with status code of 200.

Revised Command:

1
gobuster -u 10.10.10.48 -w /usr/share/dirb/wordlists/big.txt -x php,js -l -s 204,301,302,307 -t 30 | tee gobuster.out
  • -s list of status codes deemed a positive result

Output of GoBuster scan

Success! We found a redirected URL at 10.10.10.48/admin/. Let’s look deeper into this finding in the next section.

10.10.10.48/admin/


3.0. Methodology

Once a foothold has been found, it’s important to figure out what you’re working with in order to find a vulnerability and exploit it.

3.1. What is Pi-hole?

Pi-hole is a lightweight DNS server that acts as a network-wide ad blocker. It’s typically configured on a Raspberry Pi, ran on a local network, and configured through a router’s DHCP options in order to block advertisements on all clients’ devices using that network. I can personally vouch for its effectiveness as I use Pi-hole on my own home network.

This boxing running Pi-hole explains why port 53, the DNS server, was open during the initial port scan.

3.1. Brute-Forcing Pi-hole’s Login Page

Because I’ve got a Raspberry Pi at home, I quickly connected two and two together, in regards to the Mirai Botnet’s self-propagating methods and the Raspberry Pi’s default credentials, and thought to use the Pi’s default credentials (user “pi” and password “raspberry”) wherever I could. The first place I thought to use the default credentials was Pi-hole’s login page located at 10.10.10.48/admin/index.php?login, and the second place being SSH.

Pi-hole Login Page

Using default credentials on Pi-hole’s login page did not work because a randomly generated password is created whenever Pi-hole is set up. My next thought was to set up a brute force login attack while I looked for an alternative way in.

One habit I picked up from IppSec is to always have a job (e.g. a directory scanner, brute-force log ins, etc.) running in the background whenever possible. I intercepted the login POST request via Burp Suite, sent it to Hydra to brute-force passwords, and let it run in the background for a short couple of seconds until I realized the obvious entry into the system… SSH.

3.2. SSH using Default Credentials

Trying the Raspberry Pi’s default credentials (user “pi” and password “raspberry”) against the SSH server granted me easy access to the box.

1
ssh pi@10.10.10.48

SSH access granted with default credentials

3.2.1. Acquiring User Flag

The user flag was obtained with the following command:

1
pi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt

Acquiring the user.txt flag

3.3. Privilege Escalation

The first thing I check is what sudo privileges I have as the current user, in this case the current user is pi. Sudo privileges can be listed with the following command:

1
pi@raspberrypi:~ $ sudo -l

Privilege escalation via sudo

The line highlighted in red means the current user, pi, is capable of running any commands as super user root. The following line highlighted in yellow means switch to user “root”.

1
pi@raspberrypi:~ $ sudo su root

NOTE: typing “sudo su” works as well

3.4. Acquiring Root Flag

The root flag is always located at /root/root.txt on boxes from HackTheBox. Running the following command led to some unfortunate output…

1
root@raspberrypi:/home/pi# cat /root/root.txt

root.txt is a phony!

Turns out this box won’t be as simple as I thought. I located the usbstick at /media/usbstick, and root.txt wasn’t there thanks to James deleting it…

Come on James…

3.4.1. Recovering Deleted Files

Thankfully, I’ve taken a course on Computer Forensics and know that it’s possible to recover deleted files. The basic gist of my course was that, in Unix, everything is a file and it’s tough to accidentally and completely delete a file.

The first step is to figure out where the USB stick was mounted by using the following command:

1
root@raspberrypi:/media/usbstick# df
  • df stands for “disk filesystem” and is used to get a summary of overall disk usage

Locating where the USB is mounted

The USB stick is mounted on the disk named “sdb”, as we can see highlighted above in red. We can navigate to /dev/ and type the following command to display the contents of the disk:

1
root@raspberrypi:/dev# strings sdb

Acquiring the root.txt flag

The line highlighted in red is the root.txt flag, sticking out like a sore thumb.


4.0. Conclusion

Mirai is a fantastic entry-level box that teaches you how the Linux file system works. My two main takeaways from this box were:

  1. Default credentials should always be considered when testing for a way into a box
  2. Everything is a file in a Unix operating system, even a disk!

A lot more enumeration should have been done on the box, but the few hints that were provided helped me to quickly find the flags and skip the unnecessary enumeration.


 

 

Sason

I'm a college student currently studying Computer Science with a focus in Information Assurance and Security. I like Python, learning new things, and going fast.

 

Leave a Reply

Your email address will not be published. Required fields are marked *